<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=111591952803728&amp;ev=PageView&amp;noscript=1">
Skip to content
Our difference

We are on a mission to deliver innovative business transforming technology solutions that exceed our customers’ expectations.
 

Our culture

Our values guide us in everything we do and help shape our culture and customer approach. Find out more about our values and meet some of our team.
 

Our Microsoft Partnership

As a Microsoft Solutions Partner, we’ve been at the centre of the revolutionary changes that technology has brought to every aspect of life and we continue to stand by their side at the centre of tomorrow’s digital transformations.

Microsoft Solutions Partner

Our partners

We have successfully built relationships with multiple partners that prepare businesses for the future.
 

Carbon management

We understand our environmental responsibilities as a UK business and IT Managed Service Provider, and we understand how important it is for our customers to partner with responsible providers.
 

Careers

Our team is made up of a diverse group of people from all around the world, and we all have one thing in common: we’re passionate about providing our customers with outstanding solutions.

Thinking of selling your IT business?

Core is a well funded Microsoft Solutions Partner with a 30 year history of being at the heart of control in IT.

We are supported by our bankers and have funds available for strategic business acquisitions. Together with our successful acquisition track record and a commitment to making deals happen, now is the perfect time to talk to us if you are considering selling your IT business.

If you are interested in discussing a potential exit of your IT business, please complete the form on the right. All correspondence will be treated in the strictest of confidence and a mutual non-disclosure agreement will be exchanged prior to any discussions taking place.

Interactive Microsoft workshops

Our workshops are designed to help you realise the value of Microsoft technologies in your business, gain real value from your investment and transform the way you work.

The workshops are a collaborative and immersive experience; our experts will work with you to identify your business objectives and establish the Microsoft technologies to help you achieve them.
 

Request a workshop

Our range of workshops covers every aspect of the modern workplace including productivity, collaboration, identity, security and compliance and communication, with interactive and engaging sessions that bring the art of the possible to life.

Download our workshop guide

Read more about the interactive workshops we offer, and how they can benefit your business by downloading our guide.

MCI Workshop Introduction

Managed Services

Discover why Core is the first choice for many organisations looking to add flexibility, efficiency, and expertise to their teams.

Cloud Technology

From Microsoft’s leading platforms to bespoke cloud solutions, Core’s range of cloud technology solutions covers everything the modern workplace needs.

Professional Services

Whichever challenges you face on your digital journey, Core's professional services team has a solution to help, from IT Project Management to our innovative Smart Services.

Public Sector

Certified secure solution for the public sector, providing a reliable, flexible, secure and affordable IT solution.

Commercial Sector

Certified commercial sector solutions, covering all your commercial needs from financial and legal services, through to manufacturing.

Download our Frontline Workers white paper

Learn how technology can help to balance productivity with wellbeing for Frontline Workers.

White paper: How technology is revolutionising the health and productivity of frontline workers


Why customers choose us

Since we were founded in 1990 and started our Microsoft journey, we have supported over 10,000 customers on their communications and collaboration projects, and with the introduction of Microsoft's cloud technology, have grown our capabilities significantly across Microsoft 365 and Azure.

What sets us apart is a talented and passionate team who truly love what they do, demonstrating boundless enthusiasm and dedication in every single project.
 

logo-menu-david-lloyd

"It was apparent from day one that Core had a depth of knowledge in Microsoft 365, which we simply hadn’t found anywhere else."

Greater London Authority

"Core has a lot of experience working with the public sector, which was definitely a benefit."

Angel Trains

"There’s such a good working relationship with Core, it’s like having another permanent person in our organisation."

Talbot

"We had a really good, down to earth relationship with a few of the guys, and they know what they are doing."

Read our latest blog articles

Maximising Savings on Azure with Core’s Gain-Share Offer



Future-Proofing Your Business: The Perils of Rushing into Copilot for Microsoft 365
AI for All: How Microsoft's Latest Update on Copilot Opens Doors for all Businesses



Defending Against Modern Cyber Threats with Managed Services
The Core knowledge hub

Stay up-to-date with the latest insights, trends, and discussions from Core's team of subject matter experts through our blog topics and news articles.


Stephen HynesMay 4, 2018 2:54:46 PM8 min read

Can I replace ADFS with AD Connect Seamless Sign-On?

Can I replace ADFS with AD Connect Seamless Sign-On? The simple answer is ‘yes’! Microsoft released an update to Azure AD Connect in June 2017 called Seamless Single Sign-On (also known as SSO) that offers a simpler and more cost-effective SSO solution for Office 365 than ADFS.

AD Connect Seamless Single Sign-On can replace your costly (and potentially complicated) ADFS infrastructure with an additional ‘tick in a box’ on the AD Connect wizard.

Problem

Microsoft’s Single Sign-On solution for Office 365 has traditionally been Active Directory Federation Services (ADFS). ADFS offers the following benefits:

  • Single Sign-On for Office 365/other apps
  • Authentication is on-premise. Login to Office 365 is dependent on Active Directory Account
  • ADFS allows administrators to restrict access to Office 365 using Claim Rules (only allow specific groups/locations access to Office 365 via certain clients)

However, ADFS also brings the following problems:

  • Costly and complicated ADFS setup. The diagram below shows a typical ADFS environment for Office 365 SSO. This is in Azure to provide HA/DR. This structure requires six servers (two DCs, two ADFS Backend and two WAP Front End) just to provide SSO internally for on-premise users accessing Office 365. The Azure infrastructure alone for ADFS for Office 365 needs six Servers (two each for HA).
  • Single Sign-On with ADFS only works internally! For example, John would get SSO in the diagram below as he hits the ADFS Servers when signing into Office 365. Clare would not get SSO, as she hits the WAP Servers when signing into Office 365.

  • Requires technical knowledge to setup and support going forward. Servers also need to be backed up.
  • Additional complicated Claim Rules are required for lockdown of services (only allow specific groups/locations access to Office 365 via certain clients).
  • This almost defeats the object of moving to the cloud, e.g., moving email to Office 365 but being totally reliant on servers (either on-premise or in Azure). If your ADFS Servers are down, no one can sign into Office 365!

sm-managed-infrastructure-260422

The solution? Azure AD Connect with Seamless Sign-On

The solution to having Single Sign-On without ADFS is AD Connect Seamless Single Sign-On.

Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords, or even their usernames, to sign in to Azure AD. This feature provides users with easy access to cloud-based applications without needing any additional on-premise components.

Benefits of Seamless SSO

The diagram below summarises the Seamless SSO progress:

 

The following are the benefits of Seamless SSO:

  • Works in combination with Password Hash Synchronization or Pass-through Authentication
    • Core recommends running Seamless SSO in combination with Password Hash Synchronization. This ensures that users on the corporate network get SSO, but users can still sign into Office 365 if the corporate network/AD Connect is down using the Password Hash Method.
  • Users are automatically signed into both on-premise and cloud-based applications when on the corporate network.
  • Users do not have to enter their passwords repeatedly.
  • Users outside the corporate network can sign in using the normal username and password method required with Password Hash Synchronization.
  • No additional components/servers are required. AD Connect Wizard with tick in a box (see below) and a GPO.

  • Allows you to register non-Windows 10 devices with Azure AD without ADFS. This allows you to use it with Azure Device Based Conditional Access.
  • Seamless SSO is an opportunistic feature. If it fails for any reason, the user sign-in experience goes back to its regular behavior, i.e., the user must enter their password on the sign-in page.
  • It’s free! Seamless SSO is a free feature and you don't need any paid editions of Azure AD to use it.
  • Sign-out is supported. This allows users to choose another Azure AD account to sign in with, instead of being automatically signed in using Seamless SSO.
  • You don’t need to open any inbound ports. Web Application Servers need inbound 443 traffic to them. This could be seen as a security risk and will require protection; possibly a Web Application Firewall and maybe even a Pen Test.
  • Seamless SSO is supported on web browser-based clients and Office clients that support modern authentication on platforms and browsers capable of Kerberos authentication.

The table below shows supported browsers.

(* Requires additional configuration)

Technical Details

How does the sign-in on a web browser with Seamless SSO work?

Below details the sign-in flow on a web browser:

  • User tries to access a web application (for example, Outlook Web App https://outlook.office365.com/owa/) from a domain-joined corporate device inside your corporate network.
  • If the user is not already signed in they are redirected to the Azure AD sign-in page.
  • The user types their username into the Azure AD sign-in page. (For certain applications the user gets a silent sign-on experience (i.e., no need for your users to even input their usernames)
  • Using JavaScript in the background, Azure AD challenges the browser via a 401 unauthorised response, to provide a Kerberos ticket.
  • The browser, in turn, requests a ticket from Active Directory for the AZUREADSSOACC computer account (which represents Azure AD).
  • Active Directory locates the computer account and returns a Kerberos ticket to the browser, encrypted with the computer account's secret.
  • The browser forwards the Kerberos ticket it acquired from Active Directory to Azure AD.
  • Azure AD decrypts the Kerberos ticket which includes the identity of the user signed into the corporate device, using the previously shared  key.
  • After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-factor Authentication.
  • If the user sign-in is successful, the user can access the application.

The diagram below shows the flow and steps:

FAQs

Below are some of the most common issues put to Core around replacing ADFS with AD Connect Seamless SSO…

We use ADFS Claims Rules to restrict access to Office 365

Core Answer: Conditional Access should be used to restrict access to Office 365 via Device/Location or MFA. Please note: requires Azure AD Premium License.

We use ADFS for SSO to external hosted applications

Core Answer: Replace this with Azure Single Sign-On for Enterprise Apps. This ensures the SSO solution is truly in the cloud. Many vendors already offer a template for Azure SSO in the Azure Portal Gallery. If the 3rd party app is not listed, Azure provides instructions on how to develop Azure SSO for non-gallery apps. This also ensures the 3rd party app can have Conditional Access Rules.

We use ADFS for our own on-premise applications...

Core Answer: Could this be replaced with Azure Application Proxy to ensure a single-pane (myapps.microsoft.com) for getting access to applications?

We use ADFS for authentication of older applications, e.g., Office 2010

Core Answer: With Office 2010, ADFS does not offer full SSO. It uses basic authentication and actually goes via the WAP servers, so your experience is no different than using Password Hash Synchronization. ADFS works with modern authentication applications. It is 2018! Time to move away from Office 2010 to applications that support modern authentication, for example, Office 2016.

Isn’t ADFS more secure than using Seamless SSO with Password Hash Sync?

Core Answer: Why? ADFS requires inbound 443 access to a server in the corporate DMZ. AD Connect only requires outbound traffic. Also, connections to Office 365 can be restricted to only corporate devices using Conditional Access.

Is it a big project to replace ADFS with AD Connect Seamless Sign-On?

Core Answer: No. We would normally recommend POC stage with a test domain to test user experience. Once this is done, the cut-over can be done out of hours on the live domain.

e book workshop

User Experience of Azure AD Connect Seamless SSO

The following section shows the end user experience of Azure AD Connect Seamless SSO from a domain joined machine (Windows 10).

User logs onto Windows 10 domain joined machine. This is their first time logging onto this machine, and they open up Internet Explorer.

Internet Explorer opens

User enters the address https://outlook.office365.com. User is signed straight in- no username or password.

 

Gotchas

As with most Microsoft solutions, Azure AD Connect Seamless SSO does have some flaws, although these are relatively few. Issues include:

Client App

  • Not all client apps support AD Connect Seamless SSO. The Client App needs to support Modern Authentication, e.g., Outlook 2016 or Outlook 2013 (with a reg key change).
  • It is supported on web browser-based clients and Office clients that support modern authentication on platforms and browsers capable of Kerberos authentication.
  • Upgrade to Office 2016 if your business is still using this; it is 2018 after all! Any third party apps (e.g., Outlook plugins) that do not support above Outlook 2010.  Don’t let this hinder your cloud SSO solution journey.  Contact the vendor to discuss why their application/plug-in needs to be future proof.

Alternate ID

  • When using Outlook for connecting to Office 365, Microsoft’s documentation states the following:

“Seamless SSO supports Alternate ID as the username when configured in Azure AD Connect as shown here. Not all Office 365 applications support Alternate ID.”

  • From Core’s experience, AD Connect Seamless SSO for Outlook with Office 365 works best with the default ‘User Principal Name’ for Azure AD Connect Username.
  • Although Alternate ID is possible, the user experience is poor as Outlook is hardcoded to use the User Principle Name from Active Directory on initial autodiscover/setup.
  • This meant that, during setup, although we did not have to enter the password we did have to change the username to match the email address. We are, of course, happy to be proven wrong, but this is our experience to date.

Core’s advice? Use the User Principle Name as the Azure AD sign-in.

For more information on how to make your Office 365 environment as secure as it can be, download Core's FREE Office 365 Security Best Practices. It's full of useful tips and information to help you maximise the security of your Office 365.

 

sm-smartservices-310522