In today's complex IT landscapes, organizations often operate in hybrid environments, blending on-premises infrastructure with cloud services. Seamless Single Sign-On (SSO) is a critical component for providing a smooth and secure user experience across these diverse systems. This article explores how to achieve seamless SSO in Azure Active Directory (Azure AD) hybrid environments.
What is Seamless SSO?
Seamless SSO, also known as Azure AD Seamless SSO, extends your on-premises Active Directory's Kerberos/NTLM authentication to cloud-based applications integrated with Azure AD. When users are on a corporate device connected to the corporate network, they can access Azure AD-joined or Hybrid Azure AD-joined devices and cloud applications without re-entering their passwords.
Key Benefits
- Improved User Experience: Eliminates the need for users to remember and enter passwords for multiple applications.
- Enhanced Security: Centralizes authentication and reduces the risk of password spray attacks.
- Simplified Administration: Streamlines the management of user access to cloud resources.
- Cost Reduction: Decreases help desk calls related to password resets.
How it Works
Seamless SSO leverages the existing Kerberos authentication mechanism. When a user logs into a domain-joined machine on the corporate network, their device obtains a Kerberos Ticket-Granting Ticket (TGT). When the user accesses an Azure AD-integrated application from this device, Azure AD can request a Kerberos ticket from the on-premises AD Domain Services. If successful, Azure AD can then issue its own token for the user to access the application.
Prerequisites
- An Azure AD tenant with a custom domain configured.
- Users must be synchronized from on-premises Active Directory to Azure AD using Azure AD Connect.
- The Azure AD Connect server must be running version 1.1.819.0 or later.
- For Windows 10 and later devices, they must be Azure AD joined or Hybrid Azure AD joined.
- For older Windows versions (Windows 7, 8, 8.1), devices must be domain-joined.
- Users must be signed in with their domain account.
- The Azure AD endpoints must be trusted by the browser.
Enabling Seamless SSO
Enabling Seamless SSO is a straightforward process primarily managed through Azure AD Connect:
- Download and Install Azure AD Connect: Ensure you have the latest version.
- Run Azure AD Connect Configuration Wizard:
- Select "Configure" on the main page.
- Choose "Change user sign-in."
- Select "Enable single sign-on."
- On the "Enable single sign-on" page, check the box for "Enable single sign-on."
- Provide credentials for a local administrator account in your on-premises AD.
- The wizard will create a computer account named `AZUREADSSOACC` in your on-premises AD and configure the necessary Group Policy Object (GPO) for the URLs.
- Configure Intranet Zone Settings: Ensure that the Azure AD URLs (
https://autologon.microsoftazuread-sso.comandhttps://aad.windows.net/common/oauth2/token) are added to the intranet zone settings for your users via GPO.
Configuration Example (PowerShell):
While the wizard automates much of this, understanding the underlying GPO configuration is helpful. You can manage the intranet zone settings using PowerShell:
# Add Azure AD SSO URL to trusted sites
$aadSsoUrl = "https://autologon.microsoftazuread-sso.com"
$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\URLZoneMap\$aadSsoUrl"
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name "1" -Value 1 -Force # 1 represents the Intranet Zone
# Add Azure AD token URL to trusted sites
$aadTokenUrl = "https://aad.windows.net/common/oauth2/token"
$registryPathToken = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\URLZoneMap\$aadTokenUrl"
New-Item -Path $registryPathToken -Force
New-ItemProperty -Path $registryPathToken -Name "1" -Value 1 -Force
Troubleshooting
Common issues can arise from incorrect GPO settings, network connectivity problems, or browser configurations. Use the Azure AD Connect Health agent and browser developer tools to diagnose authentication flows.