Azure AD Pass-through Authentication and Seamless Single Sign-on

20 Dec

Just a quick guide and some gotchas on Seamless SSO with 365 to give your clients the best, and easiest possible experience.

First things first, update to the latest copy of AD Connect and the change it from ‘Password Synchronization’ to ‘Pass-through authentication’ and also Enable single sign on.

White list outbound traffic to *.msappproxy.net in your firewall.

Update GPO: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List

Note: If you don’t see this working/showing on client machines, ensure that the machine you are using to configure the policy has IE ESP disabled.

Change the setting: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone: Allow updates to status bar via script.

You will also want to change your trusted sites zone settings to allow automatic login:

  1. Open the Group Policy Management Console, and then either create a new Group Policy Object (GPO) or edit an existing GPO.
  2. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand Internet Explorer, expand Internet Control Panel, and then click Security Page.
  3. In the details pane, double-click Site to Zone Assignment List.
  4. In the Site to Zone Assignment List Properties dialog box, click Enabled.
  5. In the Site to Zone Assignment List Properties dialog box, click Show.
  6. In the Show Contents dialog box, click Add.
  7. In the Add Item dialog box, type the URL of your Communicator Web Access site (for example, https://cwaserver.contoso.com) in the Enter the name of the item to be added box.
  8. Type 1 (indicating the local intranet zone) in the Enter the value of the item to be added box, and then click OK.
  9. In the Show Contents dialog box, click OK.
  10. In the Site to Zone Assignment List dialog box, click OK.
  11. In the Group Policy Management Editor, click Intranet Zone.
  12. In the details pane, double-click Logon options.
  13. In the Logon options Properties dialog box, click Enabled.
  14. In the Logon options list, click Automatic logon only in Intranet zone, and then click OK.
  15. Close the Group Policy Management Editor.

Its’s also worth checking that Modern authentication is enabled for your 365 tenant. This is enabled for all new tenants but older tenants might find that this is disabled. This is assuming that you are using Office 2016 on your clients, if you are using 2013 you will need to make some additional registry changes:

Firstly, check Exchange Online for modern authentication:

And to enable it run:

Then check Skype for Business:

And enable it if required:

All done.

References: