Forum Discussion
Does activating pass-through authentication exclude mobile devices from authenticating?
I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain ...
- Vasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication-how-it-works
The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.
I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.
What I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.
Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.
- Two last questions! :)
1. Am I correct in understanding that password hashes are still synced even after choosing PTA? The implication being that if I switched back I wouldn't necessarily have to force a full sync because hashes stay current.
2. If I switch to PTA we will not have a problem (presuming use of sufficiently advanced clients and software)? That is, it's something I can do without worry?
