Pass Through Authentication. Define "High Availability" please

Does PTA simply round-robin between each PTA Agent.  PTA does not do Deterministic Load Balancing, then what does it do?
K BAsked:
Who is Participating?
LearnctxConnect With a Mentor EngineerCommented:
Does PTA simply round-robin between each PTA Agent.  PTA does not do Deterministic Load Balancing, then what does it do?

To answer your specific question about PTA high availability and load balancing, PTA HA is achieved by installing the PTA agent on multiple servers. This also automatically achieves what you might describe as load balancing. To explain this further, the agents do not receive inbound communications, they only poll outbound to the AAD STS for any pending authentication requests. This means that at any time any 1 of your PTA agent servers might get the next authentication request. You can have 1 server, 2 servers, 20 servers, etc. Of course if you only have 1 Internet link, well you know that is a single point of failure. There is no load balancing done from the AAD side of things. I don't know if I would quite describe it as round robin, maybe more like a random first in first out scenario at any given point in time. See the MS documentation around PTA here. Specifically you would be interested in:

On-premises Authentication Agents that listen for, and respond to, password validation requests only make outbound connections from within your network. There is no requirement to install these Authentication Agents in a perimeter network (DMZ).
pta is simply authentication mechanism
it can't do load balancing

you need some other means to do load balancing like nlb, hlb, or round Robin dns for that matter
What is the context of your question.
PTA is configured with server/s to whom it forwards or through which it proxies. So if there is a single resource on the other side and that resource is unavailable the thing authetnication fails.
PTA for "HIGH AVAILAbility" should have two or more system that can be used to authenticate/authorize and two or more on the destination.

i.e. PTA is made of two or more systems that are queried for authentication.
These systems are forwarding/proxying the requests to two or more servers cable to respond.

MS covers the description

If you have two federated servers end points to whom PTA can forward/query so long as your Internet feed stays up and one of the servers is running and responding, you achieve HIgh Availability. If your internet feed drops, you single signon will fail until the internet feed is restored.
Locating a federation server at anohter location, will provide an alternate destination as well as increase you high availability
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam BrownSr Solutions ArchitectCommented:
There's no need for load balancing with PTA agents because it's not a solution that accepts incoming connections. Load Balancing allows multiple servers to accept incoming connections from a single virtual IP address. Since the PTA agents only do outbound connections to Azure AD (and keep that connection open), there's no need for load balancing. Multiple agents connect to Azure AD and AAD will use whichever one gives the information it needs first.
At 1st place if OP asked for azure PTA, he could have got the answer as appropriate
K BAuthor Commented:
Most complete and direct solution .. Thank you!
Mahesh, you are correct, I will try to be more detailed next time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.