I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain control).
As I understand it, Password Hash Synchronization is disabled when you enable Pass-Through Authentication. One of the FAQs says that authentication does not automatically fallback to Password Hash when Pass-Through is unavailable.
That's a non-starter if true. I can't imagine that it's true so can someone explain what will actually happen?
What I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.
Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.
1. Am I correct in understanding that password hashes are still synced even after choosing PTA? The implication being that if I switched back I wouldn't necessarily have to force a full sync because hashes stay current. 2. If I switch to PTA we will not have a problem (presuming use of sufficiently advanced clients and software)? That is, it's something I can do without worry?
The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.
I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.