Azure Active Directory Password Hash Sync

Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. AAD Connect has maintained its popularity since the time it was upgraded from DirSync and AAD sync due to the feature and controls it provides to the administrator of a small or big organization. But in this blog, we are going to focus on Azure Active Directory Password Hash Sync and the authentication methods supported by AAD Connect.

There are two basic types of authentication:

1. Cloud authentication: Azure AD handles here sign-in process; also, it can provide SSO feature. It includes two methods:
2. Password Hash Synchronization
3. Pass-through Authentication
4. Federated authentication: In this Azure Ad hands off the authentication process to a separated trusted authentication system, for example, ADFS (Active Directory Federation Services), Ping Fed, or any other federation provider.

Password Hash Synchronization: As the name suggests in this method, the on-premise account password is synchronized in the form of hash to Azure AD. But it is not that simple, and we will learn how password hash sync works:-

• Firstly, the password hash sync cycle runs in every 2 minutes.
• The Password hash synchronization agent initiates a request to DC asking for stored password hashes (Unicode Pwd attribute), and this request is via MS-DRSR (Directory Replication Service remote protocol) which is commonly used to data replication between DCs. We can also specify in MIIS client of AAD Connect that with which DC, AAD agent needs to communicate.
• In response to that DC encrypt password hash (MD4) with the MD5 hash of RPC session + salt and send the result to password hash synchronization agent and salt over RPC, which will be decrypted by password hash synchronization agent.
• Once password hash synchronization agent receives the encrypted envelope, it uses salt and MD5CryptoServiceProvider to decrypt the envelope back to MD4 format. MD5 is only used to for replication protocol compatibility between DC (Domain Controller) and password hash synchronization agent, which means password hash synchronization agent never stores or access the password in simple clear text format.
• Password hash then perform few conversions to protect the original hash value:

16-byte binary hash à 32-byte hexadecimal à 64-byte binary hash (using UTF-16 encoding) à add 10-byte length salt per user (to make it more secure).

• Currently, the password hash is MD4 format. Password hash synchronization agent then combines MD4 hash and user salt, and put that value to PBKDF2 function ( Password based cryptography) in which 1000 iterations of HMAC-SHA256 (HMAC is hash-based authentication code and SHA256 is a hash function used in it) hashing algorithm are used.
• Now, because of the above action password hash synchronization agent is left with the result of 32-byte hash. Password hash synchronization agent then combines (concatenate) the per user salt and number of SHA256 iteration along with 32-byte hash in the form of a string, which is transmitted from AAD Connect to Azure AD via TLS.

String will in the format of MD4+salt+PBKDF2+HMAC-SHA256.

• Now, Azure AD has the on-premise password (hash converted). Whenever the user attempts to sign in to Azure AD using his username and password, the same process will run again which will return a string (hash) value, and this string value will be matched with the hash string already stored in Azure AD (which came from AAD Connect). If both the hash string matches, the user will authenticate else authentication will fail.

Things to consider

• Whenever the password hash synchronization is enabled for the organization, the password complexity of on-premise AD will override the password complexity of the cloud.
• For all users who are in the scope of password hash synchronization, by default, the account password is set to never expire for cloud accounts
• Account expires attribute of on-premise AD does not sync to Azure AD, so even if the AD account is expired, the user will still be able to login to Azure AD. If the administrator wants to set account expiry for the cloud account, then it must be done manually using Set-AzureADUser command.

Password synchronization not working

On Office 365 admin portal if you see the error for password sync not working, do not freak out as it can be resolved by following few easy steps:

• Verify that the service account created at the time of AAD Connect installation should have 2 mandatory permissions, which are replicate directory changes and replicate directory changes all.
• If above permissions are assigned, then we have triggered the password sync forcefully as well by running the below PowerShell script on primary AAD Connect server:

$adConnector  = “Domain.com”

$aadConnector = “aaddomain.onmicrosoft.com – AAD”

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Note: Make sure to change the values of $adConnector (local connector) and $aadConnector (WAAD Connector) with your AAD Connector.

Pass-through authentication details are in the next blog.