How To Install Azure Active Directory Pass-Through Authentication (PTA)

In this article, we will see how to install Azure AD pass-through Authentication (PTA) along with Seamless Single Sign-on (SSSO).

Please, check out this article for an Overview of Azure AD Pass-Through Authentication

What is required to configure Pass-through Authentication:

  1. One Windows Server machine with Server 2012 R2 or Server 2016
  2. Internet connectivity to the server machine
  3. If the network is configured with a proxy for internet connectivity, the server should get bypass access to the internet
  4. Microsoft PTA DNS Namespaces *.msappproxy.net and *.servicebus.windows.net should be whitelisted in the proxy if the proxy is configured. If the proxy is not capable to whitelist the URLs, you need to whitelist Azure Datacenter IP Ranges 
  5. Microsoft URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80 should be whitelisted for the Certificate validations and revocation validations of Microsoft products and applications
  6. Port 443 and Port 80 outbound traffic should be allowed towards Azure AD. Ideally, these ports are generic ports and there are no block rules by default. For your firewall blocking, authentication agent needs to be allowed (authentication agent is the server which is configured with a pass-through package).

If the above prerequisites are checked and ready to begin, follow the below steps to configure.

Note

In the below installation steps, Seamless Single Sign-on (SSSO) is also selected to get the feature suite configured for the best Sign-on Experience for the Corporate Intranet Users. If you don't want this to be configured, you can uncheck SSSO options.

login to Portal.azure.com   –> Azure Active Directory (Azure AD) — Azure AD Connect

By default, it will be in the Disabled state.

AZURE ACTIVE DIRECTORY PASS

Click on Pass-through Authentication

AZURE ACTIVE DIRECTORY PASS

Check the Verify Your Configuration which are the mandatory things required to further install.

AZURE ACTIVE DIRECTORY PASS

As per the note provided by Microsoft, the PTA configuration will impact all managed domains in your tenant. Once validated, click on Download & Install Additional Pass-Through Authentication Connector(s)

AZURE ACTIVE DIRECTORY PASS

You can find the Windows Installer Package in your download folder or the path you have mentioned to save the file.

AZURE ACTIVE DIRECTORY PASS

Click on Install.

AZURE ACTIVE DIRECTORY PASS

In the Welcome Page, check the I agree option and click on Continue

AZURE ACTIVE DIRECTORY PASS

Click on Customize. By default use Express Settings where the PTA is not present, which enables only Directory synchronizations.

AZURE ACTIVE DIRECTORY PASS

Select Use an existing service account and enter the service account or domain account in your On-premises directory and click on Install. You can specify custom sync groups if you need it for your domains.

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

Now, you can see User sign-in methods which are supported by the Microsoft (URL need to be) for Office 365 and Azure workloads.

Select Pass-through authentication and Enable single sign-on  and click on Next

AZURE ACTIVE DIRECTORY PASS

You can see the recommendation for the cloud-only global administrator requirements. Click on Next.

AZURE ACTIVE DIRECTORY PASS

Enter Global administrator of the tenant and click on Next

By default, Cloud-only Global administrator will get UPN as name@domainname.onmicrosoft.com.

AZURE ACTIVE DIRECTORY PASS

Click on Add directory and add the domains and forest to sync.

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

Click Next, once active directory domains have been selected.

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

You can keep Username selection as UserPrincipalName (UPN) and click on Next.

If you do not want to use UPN, you can select the other attributes based on your organization for the username for the login process. Ideally, UPN is the best one as it is used across all the applications and services.

AZURE ACTIVE DIRECTORY PASS

In the domain and OU Filtering, you can customize the syncing attributes to the cloud.

In my case, I have grouped all the users in the single OU and selected that particular OU to avoid pollution in the Azure Active directory.

AZURE ACTIVE DIRECTORY PASS

Select the defaults and click on Next.

AZURE ACTIVE DIRECTORY PASS

Select Synchronize all users and devices and click on Next.

AZURE ACTIVE DIRECTORY PASS

Uncheck the Password Synchronization option as we are going to use PTA for authentication.

AZURE ACTIVE DIRECTORY PASS

Enter On-premises Domain administrator credentials to enable single sign-on and click on Next.

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

Select Start the synchronization process when configuration completes and click on Install to begin the installation. You can select the sync options depending on your requirements.

AZURE ACTIVE DIRECTORY PASS

AZURE ACTIVE DIRECTORY PASS

The configuration has been completed successfully.

AZURE ACTIVE DIRECTORY PASS

How to validate Pass-through authentication configuration

To verify what we installed, click on Azure AD Connect Icon.

AZURE ACTIVE DIRECTORY PASS

Click on Configure.

AZURE ACTIVE DIRECTORY PASS

Select  View current configuration and click on Next

AZURE ACTIVE DIRECTORY PASS

On the review page, you can see what you have configured in the Azure AD Connect server.

AZURE ACTIVE DIRECTORY PASS

Now, you can see that the full Sync has been initiated and completed. Full sync will take time-based on your forest/domain size and attributes which are selected to sync to cloud.

AZURE ACTIVE DIRECTORY PASS

In the Azure Portal, you can see now both Seamless single sign-on and Pass-through authentications are showing the status Enabled.

AZURE ACTIVE DIRECTORY PASS

You can validate the Authentication agent status in the agent's panel.

AZURE ACTIVE DIRECTORY PASS

In the On-premises directory, you can see an Azure AD computer object got created. It is a dummy one for the Pass-through authentication.

AZURE ACTIVE DIRECTORY PASS

Please check the article for Overview of Azure AD Pass-Through Authentication

G
M
T
 
Text-to-speech function is limited to 200 characters