cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

Does activating pass-through authentication exclude mobile devices from authenticating?

Chris Parker
Iron Contributor

‎Mar 22 2018 10:17 AM - last edited on ‎Jan 14 2022 05:34 PM by

‎Mar 22 2018 10:17 AM - last edited on ‎Jan 14 2022 05:34 PM by

Does activating pass-through authentication exclude mobile devices from authenticating?

I was excited to turn on Pass-Through Authentication but as I was going through it I began to wonder if this would prevent mobile devices from authenticating (as well as PCs that aren't under domain control).

 

As I understand it, Password Hash Synchronization is disabled when you enable Pass-Through Authentication. One of the FAQs says that authentication does not automatically fallback to Password Hash when Pass-Through is unavailable.

 

That's a non-starter if true. I can't imagine that it's true so can someone explain what will actually happen?

1,503 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Mar 22 2018 11:58 AM

‎Mar 22 2018 11:58 AM

Re: Does activating pass-through authentication exclude mobile devices from authenticating?

Not sure what the question here is? PTA works for any device, as long as the client supports Modern authentication. ActiveSync is also supported. And you can certainly enable password hash sync, it's just that the "fallback" is not automatic. Read here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

1 Like
Reply
Chris Parker

‎Mar 22 2018 12:20 PM

‎Mar 22 2018 12:20 PM

Re: Does activating pass-through authentication exclude mobile devices from authenticating?

What I'm confused about is the fallback aspect. What does fallback mean in this case? If "fallback" is not automatic, that says to me password hash doesn't work when pass-through in enabled. To enable password hash again you must manually change AD Connect's configuration.
0 Likes
Reply
Vasil Michev

‎Mar 23 2018 12:41 AM

‎Mar 23 2018 12:41 AM

Re: Does activating pass-through authentication exclude mobile devices from authenticating?

Logging in with a synced password doesn't work. The actual password sync process will work. But you need to change the sign-in method before users are able to login, because as long as PTA is active the login attempt with be redirected On-Prem.

1 Like
Reply
Chris Parker

‎Mar 23 2018 08:09 AM

‎Mar 23 2018 08:09 AM

Re: Does activating pass-through authentication exclude mobile devices from authenticating?

Two last questions! :)

1. Am I correct in understanding that password hashes are still synced even after choosing PTA? The implication being that if I switched back I wouldn't necessarily have to force a full sync because hashes stay current.
2. If I switch to PTA we will not have a problem (presuming use of sufficiently advanced clients and software)? That is, it's something I can do without worry?
0 Likes
Reply
best response confirmed by VI_Migration (Silver Contributor)
Chris Parker

‎Mar 23 2018 08:54 AM

‎Mar 23 2018 08:54 AM

Solution

Re: Does activating pass-through authentication exclude mobile devices from authenticating?

Vasil's responses helped me to find the answer which is here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

The key thing for me is the graphic. It shows the flow of authentication and clearly demonstrates that this works on-prem or not.

I was coming from having watched a video demonstration of this and the presenter only demonstrated an on-prem scenario of single sign-on. Why I was so confused is that I thought SSO and Pass-Through were synonymous but they are not. SSO is an additional feature of Pass-Through.
0 Likes
Reply