How Authentication works for AD joined workstations

Rakesh Kumar 461 Reputation points
2024-01-04T05:19:00.96+00:00

Hi All,

we are planning to have Azure Managed AD for fault tolerance. However we have some concerns and need your expertise to advise us how to over come that challenges/concerns.

Concerns - How authentication will work for on-prem AD joined machines those are connecting thru corporate network if on-prem DCs are down.

Current environment - There is two on-prem DCs in two locations which is used for authentication and managed of GP for domain joined systems, VPN, radius and firewall. No VMs in azure.

Planned environment - keep the same environment and add Azure managed AD in azure tenant to get flexibility of fault tolerance.

Microsoft Entra
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2024-01-05T07:37:19.9666667+00:00

    @Rakesh Kumar

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advise on Hybrid AD join devices authentication flow when your DC is down.

    Please do correct me for any discrepancies by responding in the comments.

    Entra ID supports three types join states:

    Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.

    Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Microsoft Entra joining your devices.

    Scenarios that break without line of sight to your domain controllers include:

    • Device password change
    • User password change (Cached credentials)
    • TPM reset.

    A managed environment can be deployed either through Password Hash Sync (PHS) or Pass Through Authentication (PTA) with Seamless Single Sign On.

    These scenarios don't require you to configure a federation server for authentication.

    If you have configured Pass Through Authentication (PTA) password validation request is sent to On-Prem AD for validation, so if your DC is not available then authentication to device would fail.

    Microsoft Entra pass-through authentication

    If you have configured Password Hash Sync (PHS) password validation request is sent to Entra ID for validation as Microsoft Entra Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance.

    This would work even if your DC is not in line of sight of the device.

    What is Microsoft Entra Connect

    Federated environment

    A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.

    • WIAORMULTIAUTHN claim: This claim is required to do Microsoft Entra hybrid join for Windows down-level devices.
    • WS-Trust protocol: This protocol is required to authenticate Windows current Microsoft Entra hybrid joined devices with Microsoft Entra ID. When you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport /adfs/services/trust/13/windowstransport /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed

    Again, if you DC is down and then ADFS won't be able to get the grant from DC and your authentication would fail.

    • If user has signed onto the device before then his device would get a PRT as During Windows sign in, the Microsoft Entra CloudAP plugin requests a PRT from Microsoft Entra ID using the credentials provided by the user. It also caches the PRT to enable cached sign in when the user doesn't have access to an internet connection.

    #Updated answer from OP

    It doesn't work as fault tolerance due to technical limitations it has as listed below -

    1. It creates new forest with one way sync with Microsoft Entra ID
    2. It can only be used for authentication for azure based resources like VM
    3. It can not sync with on-prem AD

    Please "Accept the answer", "Upvote" and rate your experience. This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.