SOLVED

Does activating pass-through authentication exclude mobile devices from authenticating?

Highlighted
Contributor

I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain control).

 

As I understand it, Password Hash Synchronization is disabled when you enable Pass-Through Authentication. One of the FAQs says that authentication does not automatically fallback to Password Hash when Pass-Through is unavailable.

 

That's a non-starter if true. I can't imagine that it's true so can someone explain what will actually happen?

5 Replies
Highlighted

Not sure what the question here is? PTA works for any device, as long as the client supports Modern authentication. ActiveSync is also supported. And you can certainly enable password hash sync, it's just that the "fallback" is not automatic. Read here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

Highlighted
What I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.
Highlighted

Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.

Highlighted
Two last questions! :)

1. Am I correct in understanding that password hashes are still synced even after choosing PTA? The implication being that if I switched back I wouldn't necessarily have to force a full sync because hashes stay current.
2. If I switch to PTA we will not have a problem (presuming use of sufficiently advanced clients and software)? That is, it's something I can do without worry?
Highlighted
Best Response confirmed by Chris Parker (Contributor)
Solution
Vasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.

I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.