Single Sign-On to on-premises resources from Azure AD joined when Onprem

Azure AD Join was introduced in Windows 10 and allows a Windows 10 device to register with Azure Active Directory (Azure AD) and allows Azure AD users to sign-in to the device using their work credentials or more commonly know as their O365 credentials.

Users on these devices will enjoy Single Sign-On (SSO) to Office 365 or other SaaS applications.

The really cool part is that if this user is working within the corporate network the user can enjoy SSO to on-premises Integrated Windows Authentication based resources as well, provided the organization has enabled this functionality.

You will need a hybrid environment where Active Directory Domain Services has been extended to Azure AD.

So what do we need to do to enable this functionality?

  • A Onpremise Active Directory running on at least Windows Server 2008 R2
  • An Azure AD Subscription
  • Windows 10 Devices
  • Azure Active Directory Connect

Azure Active Directory Connect is used to synchronize users and devices between Azure AD and your onprem AD.

AAD Connect writes three new attributes on users in Azure AD which are then used by Windows logon to authenticate the user against a suitable domain controller on-premises.

  • DNS domain name where the user resides in AD on-premises.
  • NetBIOS domain name where the user resides in AD on-premises.
  • SAM account name of the user.

For more deployment info; see official documentation here: Enabling your directory for hybrid management with Azure AD Connect.

So how do this work in technical terms:

Imagine that you are inside your company’s network on your AAD Joined device. You enter your password or your Passport credentials (Windows Hello/Pincode). That credential will go to Azure AD and Azure AD will return a token to Windows. This token is a very special token. It is a refresh token but it is a refresh token to multiple audiences. This token is used to access multiple resources and basicly it is used to access all resources from this device as long as this session is active. That is what is called an Primary Refresh Token (PRT). And additionally at the same time if this device can reach an onprem Active Directory Controller the device will also receive an Kerberos TGT or Ticket Granting Ticket and that is what is going to provide SSO to onprem resources. All this is happening at winlogon time.

The PRT will provide SSO to all AAD resources like SaaS Apps or Office 365 wether you have setup your enviroment with ADSF or are using sync with password hash to AAD. The TGT will provide SSO to onprem resources like by example web applications, fileservers and printers. The user will experience full SSO to all resources.

Users doing work from Azure AD joined devices that come to the on-premises network are now able to enjoy seamless access without being prompted for credentials when accessing a file server or when printing a document to an on-premises printer.

If your users on the other hand is outside your network they will still have SSO to all cloud applications but because you don’t have access to your onprem AD Controller you will not get the TGT and will not be able to access onprem resources unless you have published them through Azure Application Proxy or the Web Application Proxy services.

AAD SSO ONPREM

4 thoughts on “Single Sign-On to on-premises resources from Azure AD joined when Onprem

  1. Hi there, hugely appreciate the post. I’m hoping you can help me with it as it’s not working for me.
    I have an Azure AD joined PC (OOBE, work , join Azure AD). All fine.
    I plug into my LAN On premise.
    Sign in (I’m using a Pin to sign in as it enforces me to set up on via policy)
    it signs me in.
    I try to navigate to a network share. Prompts for password and to enter Pin. Which it then doesn’t take. I can ping the DCs fine.
    On this account there is no Azure Premium and no Device Writeback enabled.
    Is that required, is the pin the problem ? Appreciate the help thank you

    Like

  2. Hi Gabriel
    We have a similar configuration and it does also not work in case of entering PIN. But when I use password instead it works pretty fine.

    According to the article above it should also work with PIN but for some reasons it doesn’t.

    I’m not sure, if this is a general issue or if there is some magic setting missing in our onPrem or Azure AD.

    I’d really appreciate if somebody has a technical explanation why PIN scenario fails.

    Regards, Walter

    Like

      • I believe it’s related to device having to be registered in azure ad. You can setup a group policy

        On Wed, 22 Feb 2017, 19:25 Thoughts about Windows, wrote:

        > jankeskanke commented: “I don’t have a definitive answer but it can > related to Hello for business not correctly working in your environment. ” >

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s