Imagine this scenario: You've been running Active Directory Federation Services (AD FS) since before it was cool, and you're tired of maintaining that highly available infrastructure (at least 4 servers) and the whole federation thing and its myriad of quirks and drawbacks and headaches (such as alt-id, claims rules, certificates, and the fun of trying to change UPN suffixes from one federated UPN to another).
Welcome to the world of Seamless Single Sign-On. It's new. It's shiny. And it's here to help.
If you're not familiar with AD FS or aren't sure if you're using it, an easy test from an external computer or web browser, navigate to https://portal.office.com and attempt t sign in with your Office 365 address. If you get redirected to a window that looks like this:
Congratulations, you're using AD FS. There are several other ways to check as well, but chances are, if you're reading this blog, you know how.
Preparing your environment
First, I'd recommend <warning: shameless plug approaching> checking out the AAD Connect Network and Name Resolution Testing tool. It has a bunch of nifty things to help make sure your AAD Connect server can communicate with everything it needs to. If you're already using AAD Connect successfully, you can just run it with the -OnlineEndpoints parameter to check your outbound connectivity.
Second, you need to make sure you have all your credentials. You'll need you on-premises domain admin credential for every Active Directory domain configured in AAD Connect as well as credentials for a global admin account in your Office 365 tenant.
Updating the configuration
Once you have your ducks in a row, it's time to run through the configuration wizard to change your settings.
- Log on to the server running Azure AD Connect.
- Double-click / open the Azure AD Connect icon on the desktop.
- Acknowledge the User Account Control prompt (if displayed).
- Select the green Configure button.
![]()
- Select Change user sign-in and click the green Next button.
![]()
- On the Connect to Azure AD page, enter your global admin credentials and click the green Next button. I prefer to use a cloud identity credential for AAD Connect configuration changes.
![]()
If you had previously configured federation with the AAD Connect wizard, when you are presented with the User sign-in page, the Federation with AD FS radio button will already be selected (as it is in the screenshot). If you had previously configured AD FS outside of AAD Connect, your previous method will be selected (either Password Synchronization, Pass-through authentication, or Do not configure).
![]()
- Select the radio button for Pass-through authentication, and then select the Enable single sign-on to enable the Seamless Single Sign-On configuration process. Click the green Next button to proceed.
![]()
- Click the green Enter credentials button to enter a Domain Admin credentials for each of your connected domains. AAD Connect won't save this credentials (it's only used for the configuration tasks). When you're finished entering credentials, click the green Next button.
![]()
- Confirm your choices and click the green Configure button.
- Wait while the installed completes. If you are switching from Federated, the domain type will change from Federated to Managed.
![]()
- Close the wizard. Yes, it will probably return errors.
![]()
You can view the log file at C:ProgramDataAADConnecttrace-<date>. Look towards the end for content that looks like this:
AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://login.windows.net/aaronoffice365lab.onmicrosoft.com/ Resource: https://proxy.cloudwebappproxy.net/registerapp ClientId: cb1056e2-e479-49de-ae31-7812af012ed8 CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (2 items) Authentication Target: User AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - TokenCache: Looking up cache for a token... AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - TokenCache: An item matching the requested resource was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - TokenCache: 45.708348125 minutes left until token in cache expires AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - TokenCache: A matching item (access token or refresh token or both) was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:44: 5eb59608-f2e8-48bd-adbc-f506042b36ab - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: X6aumeoyaYrqRlFECdG+86V8/9QSfJqpX4pYWOhHFeM= Refresh Token Hash: kvfHZVrbK0xojK/FH5IaIRDoCxHDswuvy6mkFXw4zTI= Expiration Time: 04/03/2018 20:44:27 +00:00 User Hash: 4YKOw7hBlXlBGxeHn8UL3EDZcYimAu5yJnGGYFubIgc= AzureADConnect.exe Information: 0 : Changing the passthrough authentication feature enablement state to enable. AzureADConnect.exe Information: 0 : 'IPassthroughAuthenticationService' channel is not available for communication. Asking lock to recreate. AzureADConnect.exe Information: 0 : 'IPassthroughAuthenticationService' channel is still not available. Recreating. AzureADConnect.exe Information: 0 : 'ChannelFactory`1' is not available. Recreating factory. AzureADConnect.exe Information: 0 : 'ChannelFactory`1' recreated successfully. AzureADConnect.exe Information: 0 : WCF cient connection: https://a6716add-e182-4ee2-9acb-db34d4cc84f1.registration.msappproxy.net/register - 0 active connections in service point before opening new channel AzureADConnect.exe Information: 0 : Creating a new 'IPassthroughAuthenticationService' channel. AzureADConnect.exe Information: 0 : Opening the new 'IPassthroughAuthenticationService' channel. AzureADConnect.exe Information: 0 : 'IPassthroughAuthenticationService' channel recreated successfully. AzureADConnect.exe Information: 0 : Passthrough authentication enable - successful [19:58:47.400] [ 20] [INFO ] enable passthrough authentication was successful [19:58:47.400] [ 20] [INFO ] Task 'Configure Passthrough Authentication' has finished execution [19:58:47.400] [ 10] [INFO ] Task 'Configure Passthrough Authentication' finished successfully [19:58:47.400] [ 10] [VERB ] Executing task Setting DesktopSso enablement [19:58:47.401] [ 24] [INFO ] EnableDesktopSsoTask: desktopsso is currently False. [19:58:47.401] [ 24] [INFO ] EnableDesktopSsoTask: desktopsso enablement is setting from False to True. [19:58:47.403] [ 24] [INFO ] EnableDesktopSsoTask: Setting DesktopSSO policy to: True [19:58:47.466] [ 24] [INFO ] DiscoverAzureEndpoints [PassthruAuthentication]: ServiceEndpoint=https://{0}.registration.msappproxy.net/register, AdalAuthority=https://login.windows.net/aaronoffice365lab.onmicrosoft.com, AdalResource=https://proxy.cloudwebappproxy.net/registerapp. [19:58:47.466] [ 24] [INFO ] AcquireServiceToken [PassthruAuthentication]: acquiring additional service token. AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://login.windows.net/aaronoffice365lab.onmicrosoft.com/ Resource: https://proxy.cloudwebappproxy.net/registerapp ClientId: cb1056e2-e479-49de-ae31-7812af012ed8 CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (2 items) Authentication Target: User AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - TokenCache: Looking up cache for a token... AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - TokenCache: An item matching the requested resource was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - TokenCache: 45.66185952 minutes left until token in cache expires AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - TokenCache: A matching item (access token or refresh token or both) was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:47: a161212a-debc-428e-a169-d1a50763d7fa - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: X6aumeoyaYrqRlFECdG+86V8/9QSfJqpX4pYWOhHFeM= Refresh Token Hash: kvfHZVrbK0xojK/FH5IaIRDoCxHDswuvy6mkFXw4zTI= Expiration Time: 04/03/2018 20:44:27 +00:00 User Hash: 4YKOw7hBlXlBGxeHn8UL3EDZcYimAu5yJnGGYFubIgc= [19:58:49.752] [ 24] [INFO ] EnableDesktopSsoTask: DesktopSSO policy successfully set to: True [19:58:49.754] [ 24] [INFO ] EnableDesktopSsoTask: Updating desktopsso secret for forestc.com [19:58:49.837] [ 24] [INFO ] DiscoverAzureEndpoints [PassthruAuthentication]: ServiceEndpoint=https://{0}.registration.msappproxy.net/register, AdalAuthority=https://login.windows.net/aaronoffice365lab.onmicrosoft.com, AdalResource=https://proxy.cloudwebappproxy.net/registerapp. [19:58:49.837] [ 24] [INFO ] AcquireServiceToken [PassthruAuthentication]: acquiring additional service token. AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - AcquireTokenHandlerBase: === Token Acquisition started: Authority: https://login.windows.net/aaronoffice365lab.onmicrosoft.com/ Resource: https://proxy.cloudwebappproxy.net/registerapp ClientId: cb1056e2-e479-49de-ae31-7812af012ed8 CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (2 items) Authentication Target: User AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - TokenCache: Looking up cache for a token... AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - TokenCache: An item matching the requested resource was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - TokenCache: 45.6223529983333 minutes left until token in cache expires AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - TokenCache: A matching item (access token or refresh token or both) was found in the cache AzureADConnect.exe Information: 0 : 04/03/2018 19:58:49: 717a981b-ee81-4d32-91dc-a2c241c717b5 - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned: Access Token Hash: X6aumeoyaYrqRlFECdG+86V8/9QSfJqpX4pYWOhHFeM= Refresh Token Hash: kvfHZVrbK0xojK/FH5IaIRDoCxHDswuvy6mkFXw4zTI= Expiration Time: 04/03/2018 20:44:27 +00:00 User Hash: 4YKOw7hBlXlBGxeHn8UL3EDZcYimAu5yJnGGYFubIgc= [19:58:51.784] [ 24] [INFO ] Task 'Setting DesktopSso enablement' has finished execution [19:58:51.784] [ 10] [INFO ] Task 'Setting DesktopSso enablement' finished successfully [19:58:51.784] [ 10] [INFO ] Task 'Change Sign-In Method' has finished execution [19:58:51.795] [ 7] [INFO ] The Azure AD Connect Installation was successfully completed. [19:58:51.798] [ 7] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file [19:58:51.798] [ 7] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Warning [19:58:51.814] [ 1] [VERB ] ReleaseSyncConfigurationMutex(): Releasing sync config changes mutex. [19:58:51.816] [ 7] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file - Test Pass-through authentication with Seamless SSO. The first test is opening a browser to https://portal.office.com from an outside network and making sure you don't get redirected to your federation prompt. That in conjunction with the log file will let you know that Setup has updated the domain configuration in the tenant.
![]()
If you had previously configured federation with the AAD Connect wizard, when you are presented with the User sign-in page, the Federation with AD FS radio button will already be selected (as it is in the screenshot). If you had previously configured AD FS outside of AAD Connect, your previous method will be selected (either Password Synchronization, Pass-through authentication, or Do not configure).
You can view the log file at C:ProgramDataAADConnecttrace-<date>. Look towards the end for content that looks like this:
Deploying to your users
Now that you've got it configured from AAD Connect's perspective, you need get your users ready to consume it.
Overview
Buried in one of our myriad document repositories is this little nugget:
To roll out the feature to your users, you need to add the following Azure AD URL to the users' Intranet zone settings by using Group Policy in Active Directory:
In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.
Why do you need to modify users' Intranet zone settings?
By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, "http://contoso/" maps to the Intranet zone, whereas "http://intranet.contoso.com/" maps to the Internet zone (because the URL contains a period). Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser's Intranet zone.
So, in order to get this to be seamless for your internal users, you need to add https://autologon.microsoftazuread-sso.com to your local intranet zone. I'd also recommend adding https://aadg.windows.net.nsatc.net to your local intranet zone, as autologon.microsoftazuread-sso.com is a CNAME of it. Once you do that, your browser will see that web site as "internal" and will send your Kerberos ticket to it.
Group Policy Deployment for Internet Explorer (and Edge)
- Open the Group Policy Management Console (gpmc.msc).
- Edit a group policy that is applied to some or all your users, or create a new one. This example uses Default Domain Policy.
- Browse to User Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page. Then select Site to Zone Assignment List.
![Single sign-on]()
- Enable the policy, and then enter the following values in the dialog box:
- Value name: The Azure AD URL where the Kerberos tickets are forwarded.
- Value (Data): 1 indicates the Intranet zone.The result looks like this:
Value: https://autologon.microsoftazuread-sso.com
Data: 1
Note: If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the data in the value column to 4 in a separate group policy that applies to those users. This action adds the Azure AD URLs to the Restricted zone, and causes Seamless SSO to fail all the time.
- Repeat the process for the second URL.
Value: https://aadg.windows.net.nsatc.net
Data: 1 - Select OK, and then select OK again.
![]()
- Browse to User Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page | Intranet Zone. Then select Allow updates to status bar via script.
![Single sign-on]()
- Enable the policy setting, and then select OK.
![Single sign-on]()
Firefox
Firefox doesn't use Kerberos authentication by default. To update the Firefox configuration, follow these steps.
- Launch Firefox.
- In the URL bar, type about:config and press enter.
- Click the I accept the risk! button.
![]()
- In the search bar, type network.negotiate-auth.trusted-uris to locate the settings object to modify. Double-click it to open.
![]()
- In the dialog box, enter https://autologon.microsoftazuread-sso.com,https://aadg.windows.net.nsatc.net and click OK.
![]()
- Close and reopen Firefox for the settings to take effect.
Ensuring high availability
So, this is cool and all, but I'm sure you're dying to ask ... isn't this a single point of failure?
Yes. Yes it is.
Fortunately, we've thought of that, too. Enter, the dragon.
Err, no. Wait.
Let's try this again.
Fortunately, we've thought of that, too.
We've made a standalone agent available that can be deployed on systems in your environment. To deploy it, follow these steps.
- Select servers that you want to install the agent on. They need to be able to communicate out to the internet on at least ports 80 and 443, though I've seen some requirements that give additional ports as well.
- Download the pass-through authentication agent from here: http://aka.ms/getauthagent
- Run the installer, and then click Install.
![]()
- At the Modern Authentication dialog box, enter a global admin credential and click Next.
![]()
- Click Close to dismiss the installer after it completes.
![]()
- Log into https://aad.portal.azure.com with a global admin credential.
- Select Azure Active Directory from the navigation blade.
![]()
- On the Azure Active Directory blade, select Azure AD Connect.
![]()
- On the Azure AD Connect blade, select the agents link next to Pass-through authentication to display the servers that have the pass-through authentication agent installed.
![]()
- Verify that the servers where you have installed the pass-through authentication agent are registered and showing online. The pass-through authentication agent is installed on the server running Azure AD Connect as part of the initial configuration.
![]()
As always, feel free to leave remarks or questions in the comments area.
May all your auths be passed through successfully.