Implement Pass through Authentication PTA

In this lesson, we explore the pass-through authentication (PTA) method used in Azure AD Connect. PTA is a secure alternative to Password Hash Synchronization (PHS). Whereas PHS stores user credentials or their hash values in the cloud and handles authentication there, PTA validates credentials in real time against an on-premises Active Directory (AD) during sign-in.

When a user accesses an application such as Outlook Web, the sign-in process begins at Azure Active Directory (Azure AD), which functions as the identity provider. Azure AD displays a webpage prompting the user to enter their username and password. Since the actual password is not stored in Azure AD because of PTA, it cannot independently verify the password. Instead, Azure AD forwards the authentication request to the on-premises AD for validation.

PTA Authentication Process

1. The user's authentication request is enqueued.
2. A dedicated PTA agent continuously polls the queue for pending authentication requests.
3. Upon retrieving a request, the PTA agent forwards the credentials to the on-premises AD.
4. The on-premises AD verifies the username and password:
   • If valid, it notifies Azure AD of successful authentication, granting the user access to the application.
   • If invalid, it informs Azure AD, which then denies access.

Summary

In summary, pass-through authentication ensures that user authentication is performed directly against an on-premises Active Directory with the help of a continuously active PTA agent. This method offers a secure and efficient way to validate user credentials in real time, contrasting with the cloud-based approach of Password Hash Synchronization.

Further Reading

• Azure AD Connect Documentation
• Active Directory Federation Services (AD FS) Overview
• Understanding Authentication Methods in Azure AD