Single Sign-On in Windows 10

March 4, 2020 by

Greg Belding

They say that simplicity is key in life and this could not apply to anything more than it does to user authentication. Imagine being able to securely use one set of login credentials for not one, not two, but nearly all your login credentials across all of the apps on your Windows 10 system. 

Having a plethora of login credentials that change with every application you use is not only hard to remember but can get messy when you do not have a handy reference for your login credentials. The problem is compounded when you are a normal user in an organization that does not have adequate privileges to install a password manager on your Windows 10 system. 

This article will detail single sign-on (SSO) in Windows 10. We’ll explore what SSO is, the benefits of SSO, how SSO works in Windows 10, the heart of SSO and a little about PRT.

What is single sign-on?

SSO is the answer to the credential conundrum presented above. It is a user and device authentication service and centralized session where one login credential set (username and password, for example) can be used to grant access to multiple applications. This means no more having to remember passwords, no more having to fumble around for the post-it note your credential was scribble on, and best of all, no more forgetting credentials. 

It also helps users with password strength, which may be unduly burdensome when you have a 16-character password. If you use SSO, you will not have to worry about having to remember that behemoth of a password again. 

What are the benefits of single sign-on?

The benefits conveyed are commonly the driving force behind doing something new and SSO may be the epitome of this concept. Below are the strongest benefits of using SSO in Windows 10.

Security

The most important benefit is the stronger security that SSO offers. Instead of storing credentials in applications, credentials are stored by the SSO service on Windows 10’s Cloud Identity Provider (IdP). This frustrates attackers that use phishing to steal credentials by taking advantage of a weak central authentication point.

User experience

The user experience is no doubt improved by not having to specify credentials each time the user wants to move between applications and services. This makes working between applications and services appear seamless to the user.

How single sign-on works in Windows 10

Before we discuss how SSO works, we first need to define how SSO fits into the big picture. In Windows 10, SSO can work with the following categories of applications:

1. Windows integrated authentication services and apps
2. Azure AD-connected apps. These include Office 365 and apps published with Azure AD application proxies
3. Active Directory Federation Services (ADFS) apps

SSO works with both domain joined and Azure AD devices. 

The heart of single sign-on

For historical reference, the traditional method of Windows integrated authentication is a Kerberos ticket-granting ticket, or TGT. When using TGT, users are required to supply login credentials every time an application is accessed. This is the classic login method that most users are comfortable with.

With SSO, a special token is obtained for each of the application types SSO can work with, and this is used to obtain tokens for access to the specific applications. This special token is called a Primary Refresh Token (PRT). PRTs are initially acquired during the Windows Logon process (user login/PC unlock), much like Kerberos TGT. It contains information about the domain device, meaning that device-based conditional access policies without a PRT will result in a denial of access to the application. 

PRT validity and renewal

PRTs have a 90-day validity period with a sliding window of 14 days. This means that if the PRT is used throughout the 90-day validity period, the PRT will be valid for the entirety of the 90-day period. If the PRT is not used within a period of 14 days, it will expire and a new one will have to be obtained. PRTs will also expire if a username or password has changed. 

When SSO is used on an Azure AD or domain-joined device, renewal of the PRT is attempted once every four hours, with this four-hour time period kicking off at the first user login or unlock. Things are a little different for domain-joined devices, where a new PRT is obtained only when there is a line of sight to the domain controller. This would also trigger an Azure AD logon for this device. 

How PRT is used

Below is the five-step process of how PRT is obtained and used in SSO in Windows 10.

1. User enters credentials in the Windows Logon UI
2. Credentials are passed to the Cloud AP Azure AD plug-in for authentication
3. Authentication of user and device to get PRT from Azure AD
4. Cache of the PRT for the Web Account Manager to access it during app authentication
5. Application requests access token to Web Account Manager for a given application service

Conclusion

Windows 10 offers single sign-on (SSO) as an authentication service that covers some distinct security and user experience benefits over and above older authentication services. Instead of Kerberos TGT, SSO uses Primary Refresh Token and uses a strong central authentication point which gives SSO a smarter choice for security sake. 

Organizations that use a significant number of SSO-compatible apps will also see better use of IT and information security resources if they switch over to SSO for authentication. 

Sources

• Single sign-on to applications in Azure Active Directory, Microsoft Azure
• What is single sign-on? How SSO improves security and the user experience, CSO
• How SSO works in Windows 10 devices, Devices, Security and Identity in #Microsoft365 by Jairo Cadena