SOLVED
Home

AAD Join & Onpremise resources SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-205539%22%20slang%3D%22en-US%22%3EAAD%20Join%20%26amp%3B%20Onpremise%20resources%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-205539%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20want%20to%20join%20the%20Windows%2010%20devices%20to%20AAD%20using%20AAD%20Join%2C%20by%20this%2C%20I%20get%20SSO%20for%20resources%20in%20the%20cloud.%20But%20do%20I%20get%20SSO%20for%20%3CSTRONG%3Eon-premise%20resources%3C%2FSTRONG%3Efor%20e.g%20Fileshares%20and%20Print%20etc%3F%3C%2FP%3E%3CP%3EI%20have%20gone%20through%20the%20below%20articles%2C%20I%20really%20did%20not%20understand%20how%20I%20get%20TGT%20%26amp%3B%20TGS%20from%20on-premise%20Dcs%20without%20the%20computer%20account%20in%20the%20on-premise%20active%20directory.%3CBR%20%2F%3EI%20%3CU%3E%3CSTRONG%3Edo%20not%20want%20to%20use%20Domain%20Join%20%2B%20Device%20registration%3C%2FSTRONG%3E%3C%2FU%3Eas%20I%20would%20like%20to%20manage%20client%20devices%20in%20Azure%20AD%20using%20intune(so%20only%20AADJoin%20so%20that%20i%20can%20manage%20devices%20using%20intune)%3C%2FP%3E%3CP%3EArticles%20i%20refered%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Ftrejo%2F2016%2F04%2F09%2Fazure-ad-join-vs-azure-ad-device-registration%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Ftrejo%2F2016%2F04%2F09%2Fazure-ad-join-vs-azure-ad-device-registration%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fjanketil%2F2016%2F01%2F25%2Fsingle-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fjanketil%2F2016%2F01%2F25%2Fsingle-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fjankesblog.com%2F2016%2F01%2Fsingle-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjankesblog.com%2F2016%2F01%2Fsingle-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-205539%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-209990%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Join%20%26amp%3B%20Onpremise%20resources%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-209990%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20last%20i%20found%20that%20it%20is%20possible%20to%20get%20both%20PRT%20from%20AAD%20%26amp%3B%20TGT%20from%20onprem%26nbsp%3BAD%20for%20a%20user%20logged%20on%20to%20AAD%20Join%20machine(no%20hybrid%2C%20just%20AAD%20Join).%3C%2FP%3E%3CP%3EWe%20should%20have%20a%20windows%202016%20AD%20DCs%20to%20achieve%20this.%3C%2FP%3E%3CP%3EI%20could%20get%20PRT%20%26amp%3B%20TGT%20once%20I%20installed%202016%20DC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-205916%22%20slang%3D%22en-US%22%3ERE%3A%20AAD%20Join%20%26amp%3Bamp%3B%20Onpremise%20resources%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-205916%22%20slang%3D%22en-US%22%3EThank%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-205816%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Join%20%26amp%3B%20Onpremise%20resources%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-205816%22%20slang%3D%22en-US%22%3ENo%2C%20in%20order%20to%20get%20SSO%20for%20both%20you%20have%20to%20setup%20and%20use%20what%20is%20called%20Hybrid%20Join.%20Here%20is%20an%20article%20explaining%20that%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
prasad goud
Occasional Contributor

Hi,

I want to join the Windows 10 devices to AAD using AAD Join, by this, I get SSO for resources in the cloud. But do I get SSO for on-premise resources for e.g Fileshares and Print etc?

I have gone through the below articles, I really did not understand how I get TGT & TGS from on-premise Dcs without the computer account in the on-premise active directory.
I do not want to use Domain Join + Device registration as I would like to manage client devices in Azure AD using intune(so only AADJoin so that i can manage devices using intune)

Articles i refered

https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/
https://blogs.technet.microsoft.com/janketil/2016/01/25/single-sign-on-to-on-premises-resources-from...
https://jankesblog.com/2016/01/single-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onp...

3 Replies
No, in order to get SSO for both you have to setup and use what is called Hybrid Join. Here is an article explaining that: https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devi...
Thank you.
Solution

Hi,

 

At last i found that it is possible to get both PRT from AAD & TGT from onprem AD for a user logged on to AAD Join machine(no hybrid, just AAD Join).

We should have a windows 2016 AD DCs to achieve this.

I could get PRT & TGT once I installed 2016 DC.

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies