Using JavaScript in the background, Azure AD challenges the browser, via a 401 Unauthorized response, to provide a Kerberos ticket. The user types in their user name into the Azure AD sign-in page.įor certain applications, steps 2 & 3 are skipped. If the user is not already signed in, the user is redirected to the Azure AD sign-in page. The user tries to access a web application (for example, the Outlook Web App - ) from a domain-joined corporate device inside your corporate network.
The sign-in flow on a web browser is as follows: How does sign-in on a web browser with Seamless SSO work? Once the set-up is complete, Seamless SSO works the same way as any other sign-in that uses integrated Windows authentication (IWA). If the AzureADSSOAcc$ account encryption type is set to RC4_HMAC_MD5, and you want to change it to one of the AES encryption types, please make sure that you first roll over the Kerberos decryption key of the AzureADSSOAcc$ account as explained in the FAQ document under the relevant question, otherwise Seamless SSO will not happen. The encryption type is stored on the msDS-SupportedEncryptionTypes attribute of the account in your Active Directory. It is recommended that the encryption type for the AzureADSSOAcc$ account is set to AES256_HMAC_SHA1, or one of the AES types vs.
Seamless SSO supports the AES256_HMAC_SHA1, AES128_HMAC_SHA1 and RC4_HMAC_MD5 encryption types for Kerberos. If there are multiple AD forests, each computer account will have its own unique Kerberos decryption key.
How a single user sign-in transaction on a web browser works with Seamless SSO.This article gives you technical details into how the Azure Active Directory Seamless Single Sign-On (Seamless SSO) feature works.
0 kommentar(er)
