Azure AD/Office 365 seamless sign-in



Azure AD/Office 365 seamless sign-inPart 7 – Understand and implement PTA and seamless SSO Microsoft FrancePublished: January 2017Version: 1.0Authors: Philippe BeraudContributors/Reviewers: Daniel Pasquier (Microsoft France), Philippe Maurent (Microsoft Corporation) For the latest information on Azure Active Directory, please see ? 2017 Microsoft Corporation. All rights reserved.Abstract: Azure AD pass-through authentication (PTA) provides a simple solution for having password validation for Azure AD/Office 365 performed against the organization’s Active Directory infrastructure, without the need for complex network infrastructure or for the on-premises passwords to exist in the cloud in any form. Moreover, the seamless single sign-on (SSO) feature allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization’s corporate network.In addition to the first part, which is intended to provide a better understanding of the multiple seamless sign-in deployment options provided by Azure AD/Office 365, this document more specifically discusses how to enable PTA and seamless SSO using corporate Active Directory credentials to access Azure AD/Office 365, and the different configuration elements to be aware of for such deployment, this document provides a complete end-to-end walkthrough to rollout a fully operational configuration in Azure.By following the steps outlined in this document you should be able to successfully configure your environment to deploy the PTA and seamless SSO features, and start using it within your organization to provide a seamless sign-in experience for end-users accessing Azure AD/Office 365 resources.Table of Contents TOC \o "1-2" \h \z \u Introduction PAGEREF _Toc473535820 \h 1Objectives of this paper PAGEREF _Toc473535821 \h 1Non-objectives of this paper PAGEREF _Toc473535822 \h 1Organization of this paper PAGEREF _Toc473535823 \h 2About the audience PAGEREF _Toc473535824 \h 2Setting up the base configuration test lab PAGEREF _Toc473535825 \h 3Deploying the LAPTOP1 computer in the test lab environment PAGEREF _Toc473535826 \h 4Joining the LAPTOP1 computer to the LITWARE369 domain PAGEREF _Toc473535827 \h 4Accessing the various machines of the test lab environment PAGEREF _Toc473535828 \h 4Setting up PTA and seamless SSO with the Azure AD/Office 365 tenant PAGEREF _Toc473535829 \h 5Downloading Azure AD Connect PAGEREF _Toc473535830 \h 6Executing Azure AD Connect and installing the first instance of the PTA connector PAGEREF _Toc473535831 \h 7Configuring additional tasks PAGEREF _Toc473535832 \h 17Setting up a second instance of the connector for PTA PAGEREF _Toc473535833 \h 18Configuring the seamless single sign-on (SSO) in the LITWARE369 domain PAGEREF _Toc473535834 \h 19Verifying the synchronization on the Azure AD/Office 365 tenant PAGEREF _Toc473535835 \h 22Verifying the pass-through authentication (PTA) with the Azure AD/Office 365 tenant PAGEREF _Toc473535836 \h 23Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant PAGEREF _Toc473535837 \h 24Troubleshooting the configuration PAGEREF _Toc473535838 \h 24Understanding PTA and seamless SSO PAGEREF _Toc473535839 \h 28Understanding PTA PAGEREF _Toc473535840 \h 28Understanding seamless SSO PAGEREF _Toc473535841 \h 29Monitoring your on-premises deployment (Optional) PAGEREF _Toc473535842 \h 31Getting started with the Azure AD Connect Health service PAGEREF _Toc473535843 \h 31Configuring Azure AD Connect Health for Sync PAGEREF _Toc473535844 \h 33Configuring Azure AD Connect Health for AD DS PAGEREF _Toc473535845 \h 34Using the Azure AD Connect Health service PAGEREF _Toc473535846 \h 37IntroductionMicrosoft Office 365 provides secure anywhere access to professional email, shared calendars, instant messaging (IM), video conferencing, document collaboration, etc. It represents the cloud version of the Microsoft communication and collaboration products with the latest version of the Microsoft desktop suite for businesses of all sizes.Azure Active Directory (Azure AD) is the directory behind Office 365 used to store user identities and other tenant properties.?Just like the on-premises Active Directory stores the information for Exchange, SharePoint, Lync and your custom Line of Business (LOB) apps, Azure AD stores the information for Exchange Online, SharePoint Online, Skype for Business Online, etc., and any custom applications built in the Microsoft’s cloud.Through the pass-through authentication (PTA) feature, Azure AD provides organizations with the ability to directly authenticate against the organization’s Active Directory, allowing their users to use their corporate credentials to access Azure AD/Office 365 and the services that they have been provisioned for, and without the need for complex network infrastructure such as the one required by AD FS (see Part 3, Part 4(bis), and Part 5) or for the on-premises passwords to exist in the cloud in any form (see Part 6 of this whitepaper for the password hash synchronization (PHS) feature).Important notePTA does NOT support organizations using Alternate Login IDs. For more information on Alternate Login IDs, see article Configuring Alternate Login ID.In addition, the seamless single sign-on (SSO) feature allows end-users to only need to type their username and not their password to sign in to Azure AD/Office 365 or other cloud apps and services when they are on their corporate machines and connected on the organization’s corporate network.NoteFor more information, see blog post Introducing #AzureAD Pass-Through Authentication and Seamless Single Sign-on.Objectives of this paperThis document complements Part 1 and Part 2 of this whitepaper by providing an end-to-end walkthrough to rollout a working PTA and seamless SSO configuration for Azure AD/Office 365. Non-objectives of this paperIt doesn’t provide an understanding of the different seamless sign-in deployment options with Azure AD/Office 365. This is specifically the intent of the aforementioned first part that covers all the key aspects the readers should understand to successfully achieve seamless sign-in with Azure AD/Office 365 for their anization of this paperTo cover the aforementioned objectives, this document is organized in the following 4 sections: REF _Ref471311815 \h \* MERGEFORMAT Setting up the base configuration test lab. REF _Ref471721224 \h \* MERGEFORMAT Setting up PTA and seamless SSO with the Azure AD/Office 365 tenant. REF _Ref471722917 \h \* MERGEFORMAT Understanding PTA and seamless SSO. REF _Ref471573068 \h \* MERGEFORMAT Monitoring your on-premises deployment (Optional).These sections provide the information details necessary to (hopefully) successfully build a working environment for the scenario. They must be followed in order.About the audienceThis document is thus intended for system architects and IT professionals who are interested in understanding the PTA and seamless SSO features of Azure AD/Office 365 from a hand-practice perspective.Setting up the base configuration test labBy following the instructions outlined hereafter, you should be able to successfully prepare your on-premises test lab environment based on virtual machines (VMs) running in Azure to later deploy and configure the test environment, install and configure it.In order to complete the document’s walkthrough, you need an environment that consists of the following components for the Azure-based test lab infrastructure:Two computers running Windows Server 2012 R2 (named DC1 respectively DC2 by default) that will be configured as a domain controller with a test user and group accounts, and Domain Name System (DNS) servers. DC1 will host Azure AD Connect for the sync between the Azure-based test lab infrastructure and the Azure AD/Office 365 subscription.,One intranet computer running Windows 8.1 (named LAPTOP1).If you’ve already followed the walkthrough of Part 2, the DC1 and DC2 computers that pertain to the Azure-based test lab infrastructure should already be in place. If you haven’t yet conducted this rollout, this is the time to do so. The rest of this document makes the assumption that such an evaluation environment is in place. You don’t need the ADFS1, ADFS2, WAP1, and WAP2 computers that are part of this lab environment. You can leave them turned off for the rest of this document.The above Azure VMs will enable you to:Connect to the Internet to install updates, and access Internet resources in real time. Later configure them with Azure AD Connect to finally get a relevant Azure-based test infrastructure.Remotely managed those using a Point-to-Site (P2S) connection and then Remote Desktop (RDP) connections by your computer that is connected to the Internet or your organization network.NoteYou must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.Create snapshots so that you can easily return to a desired configuration for further learning and experimentation.For illustration purposes, we’ve opted to configure the domain (LITWARE369). You will have to choose in lieu of a domain name of yours. For checking purpose, you can for instance use the domain search capability provided by several popular domain name registrars. Whenever a reference to is made in a procedure, it has to be replaced by the DNS domain name of your choice to reflect accordingly the change in naming. Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your choice.For the sake of simplicity, the same password "Pass@word1!?" is used throughout the procedures detailed in this document. This is neither mandatory nor recommended in a real-world scenario.To perform all the tasks in this guide, we will use the local administrator account AzureAdmin or alternatively the LITWARE369 domain administrator account AzureAdmin for each VM, unless instructed otherwise.Deploying the LAPTOP1 computer in the test lab environmentSee eponym section in Part 6 of this whitepaper.Joining the LAPTOP1 computer to the LITWARE369 domainSee eponym section in Part 6 of this whitepaper.Accessing the various machines of the test lab environmentSee eponym section in Part 2 of this whitepaper.Setting up PTA and seamless SSO with the Azure AD/Office 365 tenantThis section provides a walkthrough on how to setup pass-through authentication (PTA) and seamless single sign-on (SSO) between the on-premises Active Directory (e.g. ) and the Azure AD/Office 365 tenant (e.g. litware369.) to offer a seamless user experience to access cloud resources, for example an Office 365 Enterprise E3 subscription in our configuration.For the sake of simplicity, and to set up the directory synchronization and the password hash synchronization between the on-premises infrastructure of our test lab environment in Azure and the litware369. tenant in the cloud, we will leverage the single and unified wizard Azure Active Directory Connect (Azure AD Connect).Azure AD Connect indeed provides a single and unified wizard that streamlines the overall onboarding process for both directory synchronization (single or multiple directories) AND single sign-on if you want to, and thus that automatically performs the following steps: download and setup of all the pre-requisites, download, setup and guided configuration of the synchronization engine, activation of the synchronization in the Azure AD tenant, setup, and/or configuration of AD FS, etc.Azure AD Connect is the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.NoteFor more information, see articles Integrating your on-premises identities with Azure Active Directory.In the context of this part, Azure AD Connect is the delivery mechanism to install Azure AD Application Proxy which PTA uses. The Azure AD Application Proxy connector will be installed on the Azure AD Connect computer and will be registered to handle pass-through authentication traffic.Important NoteThe Azure AD Application Proxy installed with Azure AD Connect will only work with Azure AD Connect, Azure AD Application Proxy connectors should be hosted on other servers.This section walks you through the use of the single wizard Azure AD Connect on the DC1 computer to fully configure the Azure-based infrastructure from an identity perspective and establish the identity bridge between it and your Azure AD/Office 365 subscription. It comprises the following eight steps: REF _Ref376247961 \h Downloading Azure AD Connect. REF _Ref473447715 \h Executing Azure AD Connect and installing the first instance of the PTA connector. REF _Ref421629948 \h Configuring additional tasks. REF _Ref471578220 \h \* MERGEFORMAT Deploying and configuring a second instance of the connector for PTA. REF _Ref471577575 \h Configuring the seamless single sign-on in the LITWARE369 domain REF _Ref376248629 \h Verifying the synchronization on the Azure AD/Office 365 tenant. REF _Ref375659149 \h Verifying the simple sign-on with the Azure AD/Office 365 tenant. REF _Ref471577599 \h Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant.The following subsections describe each of these steps in the context of our test lab environment.Downloading Azure AD ConnectAzure AD Connect is a single wizard that performs all the steps you would otherwise have to do manually to connect your Active Directory (and local directories if any) to Azure AD. Azure AD Connect will:Install pre-requisites like the Azure Active Directory Module for Windows PowerShell (64-bit version) and Microsoft Online Services Sign-In Assistant. NoteThe?Azure Active Directory PowerShell Module?is regularly updated with new features and functionality. The above link should always point to the most current version of the module. For more information, see article Microsoft Azure Active Directory PowerShell Module Version Release History.Install and configure the sync engine, and enable directory synchronization in the customer's Azure tenant.Configures either password sync (w/ optional seamless single sign-on), path-through authentication (w/ optional seamless single sign-on), or AD FS, depending on which sign-on option the customer prefers, and includes any required configuration in Azure.Verifies everything is working.Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. Azure AD Connect is replacing DirSync and Azure AD Sync and these two older sync engines are deprecated from April 13, 2016 reaching end of support April 13,2017.? NoteFor additional information, see article Upgrade Windows Azure Active Directory Sync (“DirSync”) and Azure Active Directory Sync (“Azure AD Sync”).To download the latest version of Azure AD Connect (e.g. version 1.1.380.0 at the time of this writing), proceed with the following steps:Open a remote desktop connection on the DC1 computer. Follow the instructions as per section § REF _Ref471576854 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with “Pass@word1!?” as password.Open a browsing session and navigate to:. Click Download to download the Azure AD Connect MSI file (AzureADConnect.msi).Click Save.Executing Azure AD Connect and installing the first instance of the PTA connectorBefore executing Azure AD Connect, you must know the credentials:A domain account that is local administrator on the aforementioned computers.Active Directory enterprise administrator credentials.Azure AD tenant global administrator credentials.If you’ve followed in order all the steps outlined before, all the above prerequisites should be enforced at this stage. So you should be good to go.To execute Azure AD Connect and configure your identity infrastructure, proceed with the following steps:Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § REF _Ref471576854 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?” as password.Run AzureADConnect.msi to launch the wizard.On the Welcome to Azure AD Connect page, check I agree to the license terms and privacy notice and click Continue.On the Express Settings page, click Customize. On the Install required components page, review the information, select any optional configuration that you require, although it’s okay to leave these unselected, and click Install.On the User sign-in page, select Pass-through authentication.Select Enable single sign on.Click Next.On the Connect to Azure AD page, enter your global admin Azure AD credentials when prompted.Username: admin@litware369.Password: Pass@word1!?Click Next.On the Connect your directories page, select your local active directory and enter AD credentials.Username: LIWARE369\AzureAdminPassword: Pass@word1!?Click Add Directory.Click Next.On the Azure AD sign-in configuration page, leave USER PRINCIPAL NAME as is, i.e. userPrincipalName selected, and click Next.On the Domain and OU filtering page, leave Sync all domains and OUs selected, and click Next.On the Uniquely identifying your users page, leave Users are represented only once across all directories selected, leave SOURCE ANCHOR as is, i.e. objectGUID selected, and click Next.On the Filter users and devices page, leave Synchronize all users and devices selected, and then click Next.On the Optional features page, select any additional features that you need, although it’s okay to leave these unselected, and then click Next.On the Enable single sign on page, click Enter domain administrator credentials. A Windows Security dialog pops up.Enter AD credentials, and then click OK.Username: AzureAdminPassword: Pass@word1!?,Click Next.On the Ready to configure page, leave checked Start the synchronization process as soon as the configuration completes for starting the synchronization process.NoteYou may assume the synchronization process will automatically start at a later time if the check mark is removed. This is not correct as you will need to enable the task in Scheduled Tasks on the server where the synchronization tool is installed. After the task is enabled, synchronization occurs every 30 minutes by default.Click Install. When installation completes, verify the installation.NoteLogs regarding the Azure AD Connect installation can be found in the %LocalAppData%\AADCONNECT folder. Likewise, issues with the Azure AD App Proxy connector installation are exposed in the Event Viewer log under “Application and Service Logs\Microsoft\AadApplicationProxy\Connector\Admin”.Click Exit.Configuring additional tasksYou may wish to add scale or refine your options right away, or after some time has passed. To configure additional task, proceed with the following steps:Whilst still being connected on the DC1 computer, launch the wizard again using the Start page or the desktop icon called Azure AD Connect. Click Configure.The Optional features page lists the tasks that are relevant to your configuration. Select the relevant task to your configuration you’d like to conduct, click Next, and follow the instructions. Once completed, click Exit.Let’s see how to verify the synchronization on the Azure AD/Office 365 tenant.Setting up a second instance of the connector for PTAA second connector can be installed for high availability purposes. This comprises the following steps: REF _Ref471721694 \h Downloading the connector for PTA. REF _Ref471578463 \h Installing and configuring the connector for PTA.NoteFor more information, see article What is Azure AD Pass-through Authentication.Note A second connector can be installed for high availability purposesDownloading the connector for PTATo download the connector for PTA, proceed with the following steps:Open a remote desktop connection on the DC2 computer. Follow the instructions as per section § REF _Ref471576854 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.102" for the DC2 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with “Pass@word1!?” as password.Open a browsing session and download the latest version of the connector from: Click Download to download the Azure AD Application Proxy Connector MSI file (AADApplicationProxyConnectorInstaller.msi).Open an elevated Command prompt.Run the following command:PS C:\> AADApplicationProxyConnectorInstaller.exe REGISTERCONNECTOR="false" /qInstalling and configuring the connector for PTATo install and configure the connector for PTA, proceed with the following steps:Open an elevated Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, navigate to C:\Program Files\Microsoft AAD App Proxy Connector.Run the following script:PS C:\> .\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft AAD App Proxy Connector\Modules\" -moduleName "AppProxyPSModule" -Feature PassthroughAuthenticationWhen prompted, enter the credentials of your global admin Azure AD credentials:Username: admin@litware369.Password: Pass@word1!?NoteAs already outlined, issues with the Azure AD App Proxy connector installation are exposed in the Event Viewer log under “Application and Service Logs\Microsoft\AadApplicationProxy\Connector\Admin”.Configuring the seamless single sign-on (SSO) in the LITWARE369 domainSeamless single sign-on (SSO) is an option that can be enabled in Azure AD Connect with either password (hash of) hash synchronization (PHS) (see Part 6 of this paper) or pass-through authentication (PTA). When enabled, users only need type their username and do not need not to type their password to sign in to Azure AD or other cloud services when they are on their corporate machines and connected on the corporate network.For users to use seamless SSO in your environment, you need to ensure that they are:On a domain joined computer.Have a direct connection to a domain controller, for example on the corporate wired or wireless network or via a remote access connection such as a VPN connection. This role is played by the LAPTOP1 computer that you’ve previously provisioned on the test lab environment.Define the Kerberos end-points in the cloud as part of the browsers’ Intranet zone.If any of the above items are not present, such as the computer is off the corporate network and Active Directory is not available, then users will simply be prompted to enter their password as they would without seamless SSO.NoteFor more information, see article What is Single Sign On (SSO) (preview).Ensuring clients sign-in automatically from the corporate networkBy default, browsers will not attempt sending credentials to web servers unless the URL is defined in the Intranet zone. In so far as the URLs used for seamless SSO in Azure AD contain a period because they are globally routable hostnames, they have to be explicitly added to the computer's Intranet zone, so that the browser will automatically send the currently logged in user's credentials in the form of a Kerberos ticket to Azure AD. The easiest way to add the required URLs to the Intranet zone is to simply create a group policy in Active Directory or use an existing one.Proceed with the following steps:Whilst still being connected on the DC2 computer, open an elevated command prompt if none, and run the following command:PS C:\> gpmc.mscA Group Policy Management window brings up.Double-click the name of the forest, double-click Domains, and double-click the name of the domain.Right-click Default Domain Policy, and then click Edit. A Group Policy Management Editor window brings up.In the console tree, expand Group policy that will be applied to all users. For example, the Default Domain Policy.Navigate to User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List. Enable the policy, and enter the following values/data in the dialog box.Value: Data: 1 Value: Data: 1Click OK twice.Verifying the synchronization on the Azure AD/Office 365 tenantTo verify the synchronization on the Azure AD tenant, proceed with the following steps:Open a browsing session and navigate to the Azure portal at in with your administrative credentials to your Azure subscription.On the left pane of the Azure management portal, click Azure Active Directory. A Litware369 blade opens up.NoteIf Azure Active Directory is not listed, click More Services, type "Azure", and the select Azure Active Directory.In the Quick tasks tile, click Find a user. A Users and groups – All Users blade opens up. Confirm that both Janet Schorr and Robert Hatley are listed.Verifying the pass-through authentication (PTA) with the Azure AD/Office 365 tenantTo verify the "same sign-on" with the Azure AD/Office 365 tenant (e.g. litware369.), proceed with the following steps:Open a browsing session from your external local computer and navigate to the Office 365 portal at janets@ and specify your Active Directory password.If pass-through authentication (PTA) is correctly set up, your credentials are passed to the on-premises Active Directory forest, and, if verified, you should have a seamless access to the signed in user settings in the Office 365 portal.No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.Verifying the seamless single sign-on (SSO) with the Azure AD/Office 365 tenantTo verify the seamless single sign-on (SSO) with the Azure AD/Office 365 tenant (e.g. litware369.), proceed with the following steps:Open a remote desktop connection on the LAPTOP1 computer. Follow the instructions as per section § REF _Ref473649841 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 the IP address for the LAPTOP1 computer. Log on as the LITWARE369 user account JanetS with "Pass@word1!?” as password.Open a browsing session from your external local computer and navigate to the Office 365 portal at seamless single sign-on (SSO) is correctly set up, you should have a seamless access to the signed in user settings in the Office 365 portal.No tiles are displayed for the online apps. This is expected for the test user as in fact you have not assigned a license to the test user.Troubleshooting the configurationTroubleshooting PTAWhen troubleshooting pass-through authentication (PTA), there are a few different categories of problems that can occur. Depending on the type of problem you may need to look in different places.NoteFor more information, see article What is Azure AD Pass-through Authentication.Connector issuesTo resolves connector issues, you can start investigating the followings:NoteFor more information, see article Troubleshoot Application Proxy.For errors that relate to the Azure AD Application Proxy connector, you can check as mentioned before the Event Log of the connector’s computer under “Application and Service Logs\Microsoft\AadApplicationProxy\Connector\Admin”. Additional information can also be found in the trace logs for the connector in:C:\Users\AzureAdmin\AppData\Local\AADConnect\Trace-YYYYMMDD-XXXXXX.log -or- C:\Programdata\Microsoft\Microsoft AAD Application Proxy Connector\TraceIf needed, more detailed logs are available by viewing the analytics and debugging logs, and enabling the connector session log. Note it is not recommended to run with this log enabled by default and the contents are only visible after the log is disabled.Authentication and Kerberos issuesTo resolves authentication and Kerberos issues, you can start investigating the followings:For errors related to Kerberos authentication, you can check Security and System Event Log on domain controllers. Issues can be linked to different date and time between back end connector and domain controllers or wrong or missing Service Principal Names (SPN) in Active Directory:XML filter can be used to get relevant information about PTA Connector in the security Event <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\Microsoft AAD App Proxy Connector\ApplicationProxyConnectorService.exe')]]</Select> </Query></QueryList>Additional information can also be found in the trace logs in C:\Programdata\Microsoft\Microsoft AAD Application Proxy Connector\Trace. These logs also include the reason that pass-through authentication failed for an individual work Monitor can also be used to analyze Kerberos traffic and get specific error code. Use Net helpmsg <ReasonCode> to get more information from an error work issuesAs the PTA feature uses the Azure AD Application Proxy connector for all requests, we expect most errors to come from network configuration problems. If there is a firewall in the path, make sure that it's open so that the connector can make HTTPS (TCP) requests to the Azure AD Application Proxy. The connector uses a series of ports together with subdomains that are part of the high-level domains and servicebus.. Make sure to open the following ports to outbound traffic.NoteFor more information, see article Enable Application Proxy in the Azure portal.A tool to help checking for network problems can be downloaded at :Troubleshooting seamless SSOIt is important to make sure the client is correctly configured for seamless SSO including the following:NoteFor more information, see article What is Single Sign On (SSO) (preview).Both and are defined within the Intranet zone.Ensure the computer is joined to the domain, for example the LITWARE369 domain in our configuration.Ensure the user is logged on with a domain account.Ensure the computer is connected to the corporate network, for example on the Internal-sn in our test lab configuration.Ensure that the computer's time is synchronized with the Active Directory and the domain controllers time is within 5 minutes of the correct time.Purge the clients existing Kerberos tickets, for example by running the following command from an elevated command prompt.C:\> "klist purge"Ensure the Kerberos SPNs are present and correct for the AzureADSSOAcc$ account in Active Directory.If you have been able to confirm the above requirements, you can review the console logs of the browser for additional information. The console logs can be found under developer tools. This will help you determine the potential problem.Every time a user logs in with single sign on an entry is recorded in the event log of the domain controller, if success auditing is enabled. To find these events, you can review the Event logs for the security Event 4769 associated with computer account AzureADSSOAcc$. The filter below finds all security events associated with the computer account:<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ServiceName'] and (Data='AZUREADSSOACC$')]]</Select> </Query><QueryList>You are now in a position to further test the environment. Understanding PTA and seamless SSOUnderstanding PTASupported clientsPass-through authentication (PTA) is supported via web browser based clients and Office clients that support modern authentication. For clients that are not support such as legacy Office clients, Exchange active sync (i.e. native email clients on mobile devices), customers are encouraged to use the modern authentication equivalent. This not only allows the PTA feature, but also allows for conditional access to be applied, such as multi-factor authentication.Understanding PTA sign-inLet’s illustrate a typical PTA flow.Figure SEQ Figure \* ARABIC 1 Pass-through authentication flowWhen a user enters their username and password into the Azure AD sign-in page.Azure AD sent the username and password to the Azure AD Application Proxy service. The Azure AD Application Proxy service places the username and password on the appropriate on-premises connector queue for validation. One of the available on-premises connectors then retrieves the username and password and validates it against Active Directory. The validation occurs over standard Windows APIs similar to how Active Directory Federation Services (AD FS) validates password. The on-premises domain controller then evaluates the request and returns a response to the connector.The connector returns this to the Azure AD Application Proxy service. The Azure AD Application Proxy service returns it back in turn to Azure AD.Azure AD then evaluates the response and responds to the user as appropriate, for example by issuing a token for the application or asking for multi-factor authentication (MFA).Understanding seamless SSOSupported clientsThe seamless SSO feature is supported via web browser based clients and Office clients that support modern authentication on computers that are capable of Kerberos authentication, such as Windows. The following table provides details of the browser based clients on various operating systems.Table SEQ Table \* ARABIC 1 Supported clients per OS/BrowsersOperating systemsInternet ExplorerChromeFirefoxEdgeWindows 10YesYesYes*NoWindows 8.1 YesYesYes*N/AWindows 8YesYesYes*N/AWindows 7YesYesYes*N/AMac OS/XN/AN/AN/AN/A* Requires separate configurationA word about modern authenticationModern authentication is an OAuth-based authentication stack used by Office 2013/2016 client applications against Office 365. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML 2.0-based third-party identity providers with Office 2013/2016 client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.?From a technical implementation standpoint, the Active Directory Authentication Library (ADAL) replaces for Windows clients the Microsoft Online Sign-in Assistant (SIA). Understanding seamless SSO flowsLet’s illustrate a typical seamless SSO flow.Figure SEQ Figure \* ARABIC 2 Seamless SSO flowFirst the user attempts to access a resource that trusts security tokens issued from Azure AD, such as SharePoint Online (SPO) for Office 365. SharePoint Online then redirects the user to authenticate against Azure AD. The user is then invited to provide their username so that Azure AD can establish if the seamless SSO feature is enabled for their organization. Assuming seamless SSO is enabled for the organization, the following occurs:Azure AD challenges the client, via a 401 unauthorized response, to provide a Kerberos ticket.The client requests a ticket from Active Directory for the Azure AD.Active Directory locates the computer account, created by Azure AD Connect and returns a Kerberos ticket to the client, encrypted with the machine account's secret. The ticket includes the identity of the user currently signed in to the computer.The client sends the Kerberos ticket it acquired from Active Directory to Azure AD.Azure AD decrypts the Kerberos ticket using the previously shared key, and then either returns a token to the user or asks the user to provide additional proofs such as multi-factor authentication as required by the resource.Seamless SSO is an opportunistic feature, which means that if it fails for some reason, the user simply need only enter their password on the sign-in page as usual.Monitoring your on-premises deployment (Optional)This last section of this document provides and introduction to Azure Active Directory Connect Health (Azure AD Connect Health). This cloud based service in the new Azure Portal helps you monitor and gain insight into health, performance and login activity of your on-premises identity infrastructure. It thus offers you the ability to view alerts, performance, usage patterns, configuration settings, enables you to maintain a reliable Azure AD connection, and much more. Azure AD Connect Health represents a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure.NoteFor more information, see article Monitor your on-premises identity infrastructure and synchronization services in the cloud.NoteAzure AD Connect Health is a feature of the Azure AD Premium P1 edition. For a description of this edition below and a comparison table, see article Azure Active Directory editions. This section walks you through the process of configuring this service for your existing on-premises deployment as per this document. The process consists in the following five steps: REF _Ref421634687 \h Getting started with the Azure AD Connect Health service. REF _Ref471375932 \h Configuring Azure AD Connect Health for Sync. REF _Ref471375947 \h Configuring Azure AD Connect Health for AD DS. REF _Ref421725350 \h Using the Azure AD Connect Health service.The following subsections describe in the context of our test lab environment each of these steps.Like before, and unless noticed otherwise, all the instructions should be done on the DC1 computer.Getting started with the Azure AD Connect Health serviceTo get started with and use the Azure AD Connect Health service, proceed with the following tasks:Open a browsing session for your external personal computer and navigate to the Azure portal at . Sign in when prompted with your Azure AD/Office 365 Enterprise global administrator account such as:Username: admin@litware369.Password: Pass@word1!?Click Next.Click the Marketplace tile, and then select Security + Identity, or search for it by typing “Identity”.Under recommended, click Azure AD Connect Health. An introductory blade opens up.Click Create. This will open another blade with your directory information.Click Create. NoteIf you do not have an Azure Active Directory Premium P1 license, you will need one to use Azure AD Connect Health as previously noticed. See article What is Microsoft Azure Active Directory licensing?. You can sign-up for a trial at created, you can now access the Azure AD Connect Health Portal that allows you to view alerts, performance monitoring, and usage analytics. Upon first accessing Azure AD Connect Health, a first blade is presented.In order to see any data in your instance of Azure AD Connect Health, you will need to install the Azure AD Connect Health agents on your targeted servers, for example the six computers in our configuration. This is the purpose of the next sections.Configuring Azure AD Connect Health for SyncThe Azure AD Connect Health agent for Sync is installed as part of the Azure AD Connect installation (version 1.0.9125.0 or higher). So this is already completed with our prior installation and configuration of Azure AD Connect (version 1.1.380.0 in our configuration). See section § REF _Ref421213239 \h \* MERGEFORMAT Integrating your on-premises AD forest(s) with your Azure AD/Office 365 tenant. To verify the agent has been installed, look for the following services on the DC1 computer. If you completed the configuration, they should already be running:Azure AD Connect Health Sync Insights Service.Azure AD Connect Health Sync Monitoring Service.NoteFor more information, see article Azure AD Connect Health Agent Installation.Configuring Azure AD Connect Health for AD DSDownloading the health agent for AD DSTo download the latest version of health agent for AD DS, proceed with the following steps:Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § REF _Ref471576854 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.Open a browsing session and navigate to the Azure AD Connect Health portal.Click the Quick Start tile. An eponym Quick Start blade opens up. Under Get tools, click Download Azure AD Connect Health for AD DS to download the health agent (AdHealthAddsAgentSetup.exe)Click Save.Repeat above steps on the DC2 computer.Installing and configuring the health agent for AD DSTo download the latest version of health agent for AD DS, proceed with the following steps:Open a remote desktop connection on the DC1 computer that will be also your sync server. Follow the instructions as per section § REF _Ref471576854 \h \* MERGEFORMAT Accessing the various machines of the test lab environment and specify in step 2 "10.0.0.101" for the DC1 computer. Log on as the LITWARE369 domain administrator account AzureAdmin with "Pass@word1!?" as password.Double-click the AdHealthAddsAgentSetup.exe file you’ve downloaded in the previous section. A dialog pops up.The Azure Active Directory Connect Health Setup dialog shows up.On the first screen, read the EULA, and then click Install. The install begins.Once the installation is finished, click Configure Now. A command prompt with elevated privileges opens up.As stated, an elevated PowerShell command prompt is then launched to execute the following command while the initial command prompt closes: Register-AzureADConnectHealthADDSAgentA Sign in to your account dialog opens up.Type "admin@litware369." for your Azure AD/Office 365 Enterprise global administrator and click Continue.Enter the password of the admin@litware369. user, e.g. “Pass@word1!?” in our configuration, and then click Sign in. The health agent registration process starts.Executing Elevated PowerShell Command: Register-AzureADConnectHealthADDSAgent2017-01-05 10:37:00.735 ProductName: Microsoft Azure AD Connect Health agent for AD DS, FileVersion: UTC Time: 2017-01-05 10:37:00Z2017-01-05 10:37:00.893 AHealthServiceUri (ARM): 10:37:00.893 AdHybridHealthServiceUri: 10:37:03.098 AHealthServiceApiVersion: 2014-01-012017-01-05 10:43:28.828 Detecting AdDomainService roles...2017-01-05 10:43:29.562 Detected the following role(s) for :2017-01-05 10:43:29.562 Active Directory Domain Services2017-01-05 10:43:34.915 Aquiring Monitoring Service certificate using tenant.cert2017-01-05 10:43:42.506 Successfully aquired and stored Monitoring Service certificate: Subject=CN=DCc-4be2-9b86-5b3513ecb22e, OU=Microsoft ADFS Agent, Issuer=CN=Microsoft PolicyKeyService Certificate Ant=25E0F7EE2D344DF31888B7E223795DFD29D4DFBF2017-01-05 10:43:42.521 Fetched and stored agent credentials successfully...2017-01-05 10:43:44.432 Started agent services successfully...Test-AzureADConnectHealthConnectivity completed successfully...2017-01-05 10:44:02.807 Agent registration completed successfully.Detailed log file created in temporary directory:C:\Users\AzureAdmin.LITWARE369\AppData\Local\Temp\2\AdHealthAddsAgentConfiguration.2017-01-05_10-37-00.logPS C:\Users\AzureAdmin.LITWARE369\Downloads>To verify the agent has been successfully installed and configured, click Tools in Server Manager, and then select Services. An eponym window Services opens up.Look for the following services: Azure AD Connect Health AD DS Insights Service.Azure AD Connect Health AD DS Monitoring Service.These services should be started automatically and the agent will be now monitoring and gathering data.Repeat above steps on the DC2 computer.NoteFor more information, see article Azure AD Connect Health Agent Installation.At this stage, you should now be in position to monitor your on-premises deployment.Using the Azure AD Connect Health serviceTo now use the Azure AD Connect Health service, proceed with the following tasks:Open a browsing session and navigate to the Azure Preview Portal at . Sign in when prompted with your Azure AD/Office 365 Enterprise global administrator account such as:Username: admin@litware369.Password: Pass@word1!?Select Azure AD Connect Health. An introductory blade opens up.Click Azure Active Directory Connect (Sync). An eponym blade opens up. Synchronization should appear as healthy.Back to introductory blade of Azure AD Connect Health, finally click Active Directory Domain services. A new blade opens up for AD DS as you might expect.NoteFor more information on the various health topics (alerts, performance monitoring, usage analytics, properties, etc.), see articles Azure AD Connect Health Operations, Using Azure AD Connect Health for sync, Using Azure AD Connect Health with AD FS, and Using Azure AD Connect Health with AD DS.This concludes the seventh and final part of the whitepaper.The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this plying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.? 2017 Microsoft Corporation. All rights reserved.The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download