SOLVED
Home

Does activating pass-through authentication exclude mobile devices from authenticating?

Chris Parker
Contributor

I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain control).

 

As I understand it, Password Hash Synchronization is disabled when you enable Pass-Through Authentication. One of the FAQs says that authentication does not automatically fallback to Password Hash when Pass-Through is unavailable.

 

That's a non-starter if true. I can't imagine that it's true so can someone explain what will actually happen?

5 Replies

Not sure what the question here is? PTA works for any device, as long as the client supports Modern authentication. ActiveSync is also supported. And you can certainly enable password hash sync, it's just that the "fallback" is not automatic. Read here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

What I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.

Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.

Two last questions! :)

1. Am I correct in understanding that password hashes are still synced even after choosing PTA? The implication being that if I switched back I wouldn't necessarily have to force a full sync because hashes stay current.
2. If I switch to PTA we will not have a problem (presuming use of sufficiently advanced clients and software)? That is, it's something I can do without worry?
Solution
Vasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.

I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies