AD Connect pass-through authentication & SSO

This post walks you through two things:

  1. an upgrade of an existing AD Connect installation
  2. converting from ADFS to pass-through authentication
    • Turning off ADFS
    • setting up pass-through authentication and single sign on

Recently Microsoft announced the new Azure AD Pass-Through Authentication and Seamless Single Sign-on. It’s a way of signing in to AAD (Azure AD) and AAD services using on-prem credentials as a reputable replacement to ADFS. This also includes any any third party apps all like Concour or SalesForce as well as custom apps. You can use AAD Premium to setup SAML 2.0 authentication to any custom app that supports claims based authentication. This is essentially ADFS as a service.

Upgrading AD Connect

This is how I upgraded AD Connect to version 1.1.371.0 released December 2016.

Step one, you need to download the latest version of AD Connect. Upgrading AD Connect to the latest version is fairly painless, you need an AAD account handy which is a Global Admin to be entered during the process, you also need to make sure you’re using a specific user account for install, either by using run as or logged on as an account which is a member of the ADSyncAdmins group. This group could be a local group (on a stand alone server) or an AD group (if AD Connect is installed on a domain controller).


Converting from ADFS to pass-through authentication

Step one requires you to disable ADFS and remove it from AAD, so that the next time you log into a service in the cloud which backs onto AAD, it won’t redirect you to your ADFS infrastructure for an authentication token.

You disable ADFS on the ADFS server itself by using PowerShell.

Enabling pass-through authentication

On the AD Connect server, open AD Connect and select Change user sign-in


Connect to AAD with Global Admin credentials


Select both pass-through authentication and Enable single sign on.


Enter domain admin credentials of the local AD environment on-prem – credentials aren’t stored for later use, this is only used for this single purpose.


Watch it do it’s thing…..


Once pass-through authentication has been installed, you can easily test with a client machine by logging into any AAD SaaS web application such as Office 365, just after logging on e.g., one of the URLs you will see in the browser will be which is the part where the web application is checking with the pass-through auth agent on-prem whether the password is correct or not.


Enabling Single Sign-On

Single Sign-On is not pure straight through authentication, you still need to enter your username as per this video. By default, browsers do not attempt to send credentials to web servers unless the URL is defined as being in the Intranet zone. So, to get Single Sign-On working, you need to allow both and as websites to the local intranet zone. If you have a domain, you can configure this across the board with Group Policy as per the instructions for Single Sign-On.


Self Service Password Reset (SSPR)