Forum Discussion
Does activating pass-through authentication exclude mobile devices from authenticating?
I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain control).
As I understand it, Password Hash Synchronization is disabled when you enable Pass-Through Authentication. One of the FAQs says that authentication does not automatically fallback to Password Hash when Pass-Through is unavailable.
That's a non-starter if true. I can't imagine that it's true so can someone explain what will actually happen?
- Vasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-how-it-works
The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.
I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.
Not sure what the question here is? PTA works for any device, as long as the client supports Modern authentication. ActiveSync is also supported. And you can certainly enable password hash sync, it's just that the "fallback" is not automatic. Read here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-current-limitations
- Chris ParkerIron ContributorWhat I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.
Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.
- Chris ParkerIron ContributorVasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-how-it-works
The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.
I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.