question

sid-7401 avatar image
0 Votes"
sid-7401 asked piaudonn commented

Can we add other password service like password hash as backup for ADFS?

I have configured ADFS password authentication. Now I have question if ADFS get down for any reason how do I cop up with this situation. please help me with steps to add other password authentication service as backup for ADFS.

azure-active-directoryadfsazure-ad-password-hash-sync
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you using ADFS for the sole purpose of doing SSO with Azure AD workloads (such as Office 365)? If so, you do not need ADFS. You can use Azure Active Directory Seamless Single Sign-On.


1 Vote 1 ·

@piaudonn not for SSO brother but many organization not comfortable to keep their Password Hash with third party they more comfortable to keep their Auth with Onprem. May be their security audit dependency.

0 Votes 0 ·

Well, that's the beauty of the proposed solution with Azure Active Directory Seamless Single Sign-On. When used with Pass Through Authentication, you do not have to enable Password Hash Synchronization at all.

I would recommend to look at the technical specs behind PHS: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization. You don't synchronize passwords, but the hash (non reversible) of the hash (so the non reversible hash of a non reversible hash). And quite frankly, when we see the security benefits (such as Leaked Credentials detection) the pros largely outweigh the cons.


0 Votes 0 ·
Show more comments

1 Answer

michev avatar image
0 Votes"
michev answered

You should properly design your AD FS infrastructure to avoid such scenarios, the recommended config is 2+2 servers for HA. Password hash sync is not a "backup" solution, it's more of a "fall back", plus it will not work for any other RPTs you might have configured on your farm.

In any case, read here: https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.