How can an application or service be federated to an Azure AD Domain?Īpplications or services can be federated with AAD in a couple of ways:
Similar to Active Directory’s Kerberos feature the PRT is used to provide single sign on to applications and services that are Federated with Azure AD. The computer reaches out to the ESTS's OAuth2.0 Token endpoint to obtain what is known as a Primary Refresh Token (PRT). When a user logs into a Windows device joined to an Azure Active Directory Domain for the first time the device must contact AAD’s EVO Security Token Service (ESTS) to obtain a token to access the computer. Explaining Windows logon with an Azure Active Directory(AAD) Tenant: This feature benefit eliminates the need to enter a username and password in a credential prompt. This is done by exchanging a domain's Kerberos token the device retrieved during the initial logon, for a Kerberos token that can be used for the application or service being accessed. That said, Windows devices that are joined to an AD domain get the benefit of SSO aka Windows Integrated Authentication(WIA) through the Kerberos Protocol.
Specifically, the computer finds the Kerberos Distribution Center or KDC in order to retrieve a Kerberos authentication token.
When an end-user logs into a Windows device that is joined to an Active Directory domain for the first time that device must contact an AD domain controller to obtain a token to access the computer. The purpose of this article is to explain why end-users on Azure AD joined (AADJ) devices are presented with the Windows logon reminder "Windows needs your current Credentials." Explaining Windows logon with an Active Directory (AD) domain:
0 kommentar(er)
