CliftonY.46624 (Customer) asked a question.
I'm reposting a question for a post which is closed but apparently no answer on the question anyway.
We're migrating our devices to AzureAD joined (No Hybrid AAD join). We have on-premise resources include a file share and numerous of Windows-Integrated-Authentication web services that need to be seamlessly (SSO/without password) accessed.
According to Microsoft documents (https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso), AzureADConnect provides seamless single sign-on to on premise resources via kerberos TGT tickets when there is a domain controller in sight.
As part of the synchronization process, Azure AD Connect synchronizes on-premises user information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
- Azure AD sends the name of the on-premises domain the user is a member of back to the device.
- The local security authority (LSA) service enables Kerberos authentication on the device.
Currently Okta manage all of accounts (people). On-prem AD is integrated with Okta thru Directory Integration (Okta AD Agent) and is a profile source in Okta. Office 365 is integrated thru WS-FED/SAML thru "User Sync" with password sync enabled. Okta is the IDP for all of the SSO/SAML App include Office 365.
Does any one know if there is a way to make the client (Azure AD Joined Device) able to access the on-perm resources w/o password prompt.
Hi @CliftonY.46624 (Customer),
Thank you for posting on the Okta community question!
I have done some research on my end and it seems that if the on premise application is independent from the Azure/Okta session then this should be discussed with Microsoft to see if seaming-less SSO would be possible but if the applications are dependent on the Azure/Okta session you can achieve this by using IWA in which I have provided a couple of articles about this functionality bellow:
I hope that I understood your inquiry and that the above information is helpful!