A question about Password Hash Syncronisation (PHS) and single signon to an Azure App

%3CLINGO-SUB%20id%3D%22lingo-sub-150798%22%20slang%3D%22en-US%22%3EA%20question%20about%20Password%20Hash%20Syncronisation%20(PHS)%20and%20single%20signon%20to%20an%20Azure%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-150798%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20someone%20please%20clarify%20the%20following%20for%20me%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20I%20have%20on-premise%20AD%20and%20AD%20Connect%20to%20sync%20both%20the%20user%20account%20and%20their%20passwords%20from%20on-premise%20to%20Azure%20AD%20(so%20the%20same%20UPN%20and%20password%20exists%20at%20both%20locations)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%20I%20have%20an%20Azure%20App%20and%20give%20the%20user%20rights%20to%20run%20the%20app%20via%20the%20Azure%20MyApps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewhen%20the%20user%20on%20premise%20goes%20to%20access%20the%20application%20in%20Azure%20(remember%20No%20AD%20FS)%2C%20I%20assume%20the%20user%20will%20be%20asked%20to%20login%20to%20Azure%20AD%20(all%20be%20it%20the%20users%20name%20and%20password%20will%20be%20the%20same%20as%20on-premise)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20questions%20are%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1%3A)%20if%20the%20user%20is%20asked%20to%20login%20when%20accessing%20the%20Azure%20app%2C%20is%20there%20a%20way%20to%20'save'%20this%20(in%20a%20cookie%20or%20similar)%20so%20the%20next%20time%20the%20user%20opens%20the%20app%20it%20logs%20straight%20in%20with%26nbsp%3B%20no%20intervention%20required%20from%20the%20user%26nbsp%3B%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2%3A)%20I%20realize%20Windows%20uses%20Kerberos%20tickets%20and%20turns%20the%20PAC%20in%20these%20Kerberos%20tickets%20into%20Windows%20Tokens%20(to%20access%20securable%20objects)%2C%20and%20Azure%20using%20Azure%20SAML%2C%20JWT%2C%20OAuth2%20and%20OpenID%20connect%3C%2FP%3E%0A%3CP%3ESo%20different%20set%20of%20protocols%2C%20but%20on%20a%20Windows%20internal%20network%20you%20can%20use%20'pass%20thought%20authentication'%20whereby%20if%20your%20username%20and%20password%20it%20the%20same%20(NTLM%20protocol%20etc.)%20you%20can%20simply%20login%20to%20the%20resource%20you%20want%20to%20access.%3C%2FP%3E%0A%3CP%3ECan%20a%20similar%20thing%20be%20done%20when%20accessing%20an%20Azure%20hosted%20App%20from%20a%20Windows%20AD%20Domain%2C%20e.g.%20rather%20than%20remember%20the%20username%20and%20password%20once%20entered%20once%20(as%20in%201%20above)%20simply%20pass%20it%20through%20and%20if%20it%20matched%20the%20one%20stored%20in%20Azure%20AD%2C%20automatically%20get%20an%20Azure%20token%20and%20access%20the%20app%20with%20no%20user%20prompt%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EJo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-150798%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello,

 

Can someone please clarify the following for me,

 

if I have on-premise AD and AD Connect to sync both the user account and their passwords from on-premise to Azure AD (so the same UPN and password exists at both locations)

 

Next I have an Azure App and give the user rights to run the app via the Azure MyApps

 

when the user on premise goes to access the application in Azure (remember No AD FS), I assume the user will be asked to login to Azure AD (all be it the users name and password will be the same as on-premise)

 

My questions are

 

1:) if the user is asked to login when accessing the Azure app, is there a way to 'save' this (in a cookie or similar) so the next time the user opens the app it logs straight in with  no intervention required from the user  ?

 

2:) I realize Windows uses Kerberos tickets and turns the PAC in these Kerberos tickets into Windows Tokens (to access securable objects), and Azure using Azure SAML, JWT, OAuth2 and OpenID connect

So different set of protocols, but on a Windows internal network you can use 'pass thought authentication' whereby if your username and password it the same (NTLM protocol etc.) you can simply login to the resource you want to access.

Can a similar thing be done when accessing an Azure hosted App from a Windows AD Domain, e.g. rather than remember the username and password once entered once (as in 1 above) simply pass it through and if it matched the one stored in Azure AD, automatically get an Azure token and access the app with no user prompt

 

Thanks

Jo

0 Replies