Tag: Seamless Sign On High Availability

Seamless Sign On and High Availability

Mark GerlowLeave a comment

In my previous articles I’ve written about Seamless Sign On, and for good reason. It’s an absolutely awesome feature Surprised smile. For small and midsize companies wanting to go “up” the Cloud road, not having Exchange, SharePoint and so on, with the high cost, tons of expensive maintenance in their Onprem environment.

Office 365 is, in my humble opinion, the only way to go. But what about the users. Well AADConnect is a must, if you have your own AD. So you have 4 options for authentication…

– User sync but Cloud only password

– Password synchronization

– ADFS Single Sign On

– Seamless Sign On

User sync but Cloud only password

Not really an option in my book. We want to make it easy for the users and not giving them 2 sets of credentials to worry about. (gives us less time to enjoy a good cup of coffee Winking smile)

Password synchronization

Could be a possibility, but why would you force your users to login twice?

ADFS Single Sign On

Absolutely, IF you want to maintain 2 ADFS server, 2 WAP servers and you AADConnect server. ADFS is an awesome feature. But it leaves a fairly large footprint in your infrastructure, especially if you want high availability. Maybe not the best solution for the smaller to midsize company’s.

Seamless Sign On

YESSSS…. You guessed it…. Seamless Sign On to the rescue. First of, I’ve never had an AADConnect service break down, its very stable (Big thanks to the guys at Microsoft Thumbs up). Second, if the server you’ve installed AADConnect on crashes, well users won’t be able to logon. But why bother getting stressed about it? Just make it High Available Winking smile. With the newer versions, you have the option to install AADConnect Authentication Agent.

So, here we go Fingers crossed

First of, a little about my test setup. I have 2 Domain Controllers and one File server. AADConnect is installed on DC01 (I won’t go into the installation process of AADConnect), and I want to install the AADConnect Authentication agent on my File Server.

Logon on to your O365 tenant, and go straight to the Azure Portal –> Go to “Azure Active Directory” –> then to “Azure AD Connect”

image

Click on “agents” (please disregard the warning sign and the 3’rd agent, it was for testing purpose, and it takes a while for Azure to realize, its not there anymore, and I was so excited to write this article, that I didn’t have the patience to wait for it to go away.)

image

At the top left, you have a Download option, this is the agent install file. (I’ve cheated, and already installed it on the File server… Shh…)

image

It’s a Next –> next, finish installation, so no need to document that.

After a short wait, the second “agent” will popup in your view. Now, your Seamless sign on setup as HA…. And yes, it really is that easy.

In my setup I have 2 DC’s, so if the AADConnect DC crashes, the Authentication agent on the File server, still has authentication against the second DC.

The “downside” to this, is you’ll need at least 2 Domain Controllers, for this to work, but with multi-role servers today, I don’t see this as any issue.

Hope you enjoyed, this little write-up. Feel free to comment Winking smile