- The user creates an account.
- Users password is hashed and stored in the database.
- When a user tries to log in, the hash of the password they entered is checked against the hash of their real password (retrieve from the Database).
- If the hashes match, the user is granted access, if the not user will get the message “Invalid login credentials”.
- Every two minute the password sync agent on the DC connect server request stored password hashes from DC with help of the replication protocol (MS-DRSR) to sync the data between the DCs.
- DC encrypts the MD5 hash from DC4 password hash before sending of the RPC session key and a salt. The DC also passes the salt to the synchronization agent by using the DC replication protocol so that agent will decrypt the envelope.
- MD5crryptoServiceProvider and salt to generate a key to decrypt the received data back to its original MD4 format, password synchronization agent does not have the access to the clear text password.
- The Password synchronization agent’s use the MD5 for replication protocol compatibility with the DC and only use on-premises between the DC and the password synchronization agent.
- Password sync agent expands the 16-byte binary password hash to 64 bytes by first converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-16 encoding.
- Password sync agent adds a salt, consisting of a 10-byte length salt, to the 64-byte binary to further protect the original hash. Then combines the MD4 hash plus salt and input into the PBKDF2 function.
- Password sync agent takes the resulting 32-byte hash, concatenates both the salt and the number of SHA256 iterations to transmits the string from Azure AD Connect to Azure AD over SSL.
- Now when the user tries to sign in to Azure AD and give the password, the password is run through the same MD4+Salt+PBKDF2+HMAC-SHA256 process, if the hash matches the hash stored in Azure AD, the user has entered the connect password and is authenticated.
Photo courtesy of Microsoft