autologon.microsoftazuread-sso.com – Pass-through Authentication
Uwierzytelnianie typu Pass-through Authentication stanowi dość ciekawą alternatywę dla implementacji Active Directory Federation Services. Generalnie polega, na tym iż na kontrolerach domeny powinien być zainstalowany Agent, który pobiera kolejkę uwierzytelniania z chmury, uwierzytelnia użytkownika i tą informacje zwraca do chmury. Do dzisiaj nie spotkałem się z wadami tego rozwiązania, a jest znacznie prostsze i szybsze we wdrożeniu do niedawna mojej ulubionej usługi ADFS.
Pewną niedogodnością może być konieczność dodania witryny autologon.microsoftazuread-sso.com do strefy Local Intranet.
Na stronach Microsoft opisywane są różne metody, ale dla mnie najpewniejszą jest użycie skrypt PowerShell (jeżeli będziemy to robić masowo za pomocą GPO, to być może na stacjach będziemy musieli ustawić PowerShell Execution Policy lub skorzystać z metody z następnego posta):
Pass-through Authentication is an interesting alternative to the implementation of Active Directory Federation Services. Generally, it is based that Agents installed on premise servers downloads the authentication requests from the cloud, authenticates the user and returns this information to the cloud. Until today, I have not met with the disadvantages of this solution, and it is much simpler and faster in implementing my favorite ADFS service.
An inconvenience may be the need to add the autologon.microsoftazuread-sso.com site to the Local Intranet zone.
There are various methods described on Microsoft’s pages, but for me the most reliable one is to use the PowerShell script (if we do it massively using GPO, maybe we will have to set the PowerShell Execution Policy – see next post):
#Functions from https://github.com/LanLorde/Scritps2/blob/57d714240dc0338da8c7123f33693e092905f53e/PowerShell/LessUsed/OneDriveMapper_v2.53.ps1
function addSiteToIEZoneThroughRegistry{
Param(
[String]$siteUrl,
[Int]$mode=2 #1=intranet, 2=trusted sites
)
try{
$components = $siteUrl.Split(“.”)
$count = $components.Count
if($count -gt 3){
$old = $components
$components = @()
$subDomainString = “”
for($i=0;$i -le $count-3;$i++){
if($i -lt $count-3){$subDomainString += “$($old[$i]).”}else{$subDomainString += “$($old[$i])”}
}
$components += $subDomainString
$components += $old[$count-2]
$components += $old[$count-1]
}
if($count -gt 2){
$res = New-Item “hkcu:\software\microsoft\windows\currentversion\internet settings\zonemap\domains\$($components[1]).$($components[2])” -ErrorAction SilentlyContinue
$res = New-Item “hkcu:\software\microsoft\windows\currentversion\internet settings\zonemap\domains\$($components[1]).$($components[2])\$($components[0])” -ErrorAction SilentlyContinue
$res = New-ItemProperty “hkcu:\software\microsoft\windows\currentversion\internet settings\zonemap\domains\$($components[1]).$($components[2])\$($components[0])” -Name “https” -value $mode -ErrorAction Stop
}else{
$res = New-Item “hkcu:\software\microsoft\windows\currentversion\internet settings\zonemap\domains\$($components[0]).$($components[1])” -ErrorAction SilentlyContinue
$res = New-ItemProperty “hkcu:\software\microsoft\windows\currentversion\internet settings\zonemap\domains\$($components[0]).$($components[1])” -Name “https” -value $mode -ErrorAction Stop
}
}catch{
return -1
}
return $True
}
function checkRegistryKeyValue{
Param(
[String]$basePath,
[String]$entryName
)
try{$value = (Get-ItemProperty -Path “$($basePath)\” -Name $entryName -ErrorAction Stop).$entryName
return $value
}catch{
return -1
}
}
#Main
if((checkRegistryKeyValue -basePath “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon” -entryName “https”) -eq 1){
Write-Host “SSO – already exist”
Exit}
if((checkRegistryKeyValue -basePath “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon” -entryName “https”) -eq 2){
Write-Host “SSO – already in wrong place”
Write-EventLog -LogName “Application” -Source “Office365” -EventID 666 -EntryType Information -Message “autologon.microsoftazuread-sso.com – exist in Trusted Zones” -Category 1 -RawData 10,20
Exit}
if ((addSiteToIEZoneThroughRegistry -siteUrl “autologon.microsoftazuread-sso.com” -mode 1) -eq $True) {Write-Host “SSO – just enabled”}