Office 365 – Federated Authentication and Password Hash Synchronization

Mid to enterprise level organization are using Federated Authentication for Office 365 / Azure. Many organization deploys ADFS in a Farm having High availability and few went ahead and deployed ADFS Farms in 2 datacenters. I know few companies deployed ADFS environment deployed in 2 of their own data centers for high availability and in addition a 3rd instance of ADFS Proxy and ADFS server combination (ADFS service name as with geo load balancing in Azure Cloud (with a writable DC as well in Azure).

Your ADFS deployed like above is fully business continuity plan complaint, users will be able to access Office 365 applications if both ADFS farm in On-Premise datacenter is down.

ADFS federated sign-in authentication with Password Hash Synchronization to Azure AD is good to have option for large enterprises as additional DR. You may have a query why Password Hash Sync is required when ADFS deployed in 3 datacenters and the name says Password Hash Sync to Azure AD which is a SAAS service.

Why you should not worry about Password Hash Sync?

  • In On-Premise, AD stores passwords in the form of a hash value which represents the actual user password.
  • A hash value is a result of a one-way mathematical function. There is no method to revert the result of a one-way function to the plain text version of a password.
  • Password hash cannot be used to sign in to on-premises network.
  • When Password Hash Synchronization enabled, AD has the password stored in a MD4 hash format and DC encrypts the MD4 hash with MD5 hash + Additional Key and send it to AD connect PHS agents. AD Connect PHS agent gets the password in the format of MD5 hash + additional key and it decrypts the MD5 hash using MD5CryptoServiceProvider and the additional key. AD connect PHS agent decrypts the MD5 hash and the it is having the password in MD4 hash.
  • Though the AD Connect PHS Agent decrypts the MD5 hash and the password now available as MD4 hash and no option for the PHS agent to view the clear text password. MD5 hash encryption that was done in AD is only for replicating the MD4 hash to AD Connect server.
  • PHS agent will do many conversions and it results a secured hash (combination of MD4+salt+PBKDF2+HMAC+SHA256) will be synchronized to Azure AD over SSL.

Note: The original MD4 hash is not transmitted to Azure AD. Instead, the SHA256 hash of the original MD4 hash is synchronized. As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash attack.

Enabling Password Hash Sync:

Changing the configuration in AD connect to enable Password Hash Sync as an Authentication option. Password Hash Sync Agent Sync the SHA256 value every 2 minutes once. We can ensure the Password Hash Sync status enabled by checking the Azure AD connect option in Azure AD Portal.

In addition, you can use the below command to check the password hash sync status.

Hope you are enabling Password Hash Sync as an additional option that you can use in case of any issue with your ADFS infrastructure.

Leave a Reply