Pass Through Authentication. Define "High Availability" please

Does PTA simply round-robin between each PTA Agent.  PTA does not do Deterministic Load Balancing, then what does it do?
LVL 8
K BAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
pta is simply authentication mechanism
it can't do load balancing

you need some other means to do load balancing like nlb, hlb, or round Robin dns for that matter
0
arnoldCommented:
What is the context of your question.
PTA is configured with server/s to whom it forwards or through which it proxies. So if there is a single resource on the other side and that resource is unavailable the thing authetnication fails.
PTA for "HIGH AVAILAbility" should have two or more system that can be used to authenticate/authorize and two or more on the destination.

i.e. PTA is made of two or more systems that are queried for authentication.
These systems are forwarding/proxying the requests to two or more servers cable to respond.

MS covers the description
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

If you have two federated servers end points to whom PTA can forward/query so long as your Internet feed stays up and one of the servers is running and responding, you achieve HIgh Availability. If your internet feed drops, you single signon will fail until the internet feed is restored.
Locating a federation server at anohter location, will provide an alternate destination as well as increase you high availability
0
LearnctxEngineerCommented:
Does PTA simply round-robin between each PTA Agent.  PTA does not do Deterministic Load Balancing, then what does it do?

To answer your specific question about PTA high availability and load balancing, PTA HA is achieved by installing the PTA agent on multiple servers. This also automatically achieves what you might describe as load balancing. To explain this further, the agents do not receive inbound communications, they only poll outbound to the AAD STS for any pending authentication requests. This means that at any time any 1 of your PTA agent servers might get the next authentication request. You can have 1 server, 2 servers, 20 servers, etc. Of course if you only have 1 Internet link, well you know that is a single point of failure. There is no load balancing done from the AAD side of things. I don't know if I would quite describe it as round robin, maybe more like a random first in first out scenario at any given point in time. See the MS documentation around PTA here. Specifically you would be interested in:

On-premises Authentication Agents that listen for, and respond to, password validation requests only make outbound connections from within your network. There is no requirement to install these Authentication Agents in a perimeter network (DMZ).
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam BrownSr Solutions ArchitectCommented:
There's no need for load balancing with PTA agents because it's not a solution that accepts incoming connections. Load Balancing allows multiple servers to accept incoming connections from a single virtual IP address. Since the PTA agents only do outbound connections to Azure AD (and keep that connection open), there's no need for load balancing. Multiple agents connect to Azure AD and AAD will use whichever one gives the information it needs first.
0
MaheshArchitectCommented:
At 1st place if OP asked for azure PTA, he could have got the answer as appropriate
0
K BAuthor Commented:
Most complete and direct solution .. Thank you!
Mahesh, you are correct, I will try to be more detailed next time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.