Ninety percent of breaches still begin with a stolen credential, and on-premises directories remain the prime target. Active Directory turned 25 this year, yet most enterprise identity stacks still rely on Kerberos tickets issued by domain controllers your auditors barely understand. The result: hybrid architectures where Entra ID sits on top of legacy AD, Seamless SSO opens silent attack paths, and ADFS lingers despite Microsoft's quiet deprecation.
This guide steps outside vendor playbooks. You will find a protocol decision framework that maps Kerberos, SAML, OIDC, and FIDO2 to concrete on-prem use cases, a pragmatic path for organizations without P1/P2 licensing, hardening recipes for Kerberos delegation, and a compliance matrix tied to NIS2, GDPR, and PCI-DSS 8.x. The objective: give architects and CISOs the technical clarity to secure single sign-on across hybrid estates without rebuilding the directory.
What On-Prem SSO Really Means in a Hybrid World
Core mechanics: Kerberos, LDAP, SAML and OIDC against Active Directory
On-prem single sign-on starts at the Local Security Authority. When a user signs in, the LSA requests a Ticket-Granting Ticket from a located domain controller, then exchanges service tickets for each on-prem resource. Entra Connect or Cloud Sync replicates UPN, SAM Account Name and domain attributes upward, so an Entra-joined device receives its Primary Refresh Token alongside the on-prem domain hint. From there, the device reaches file shares, printers and LOB applications through Kerberos or NTLM via the located DC.
SAML and OIDC handle federated web apps, but the directory of truth stays on-prem. The DC remains authoritative for RDP sessions, thick clients, SCADA/OT segments and air-gapped workloads where no cloud IdP has line of sight.
Why Seamless SSO is flagged as a security risk
Seamless SSO relies on the AZUREADSSOACC$ computer account in Active Directory. Its Kerberos key never rotates by default, exposing the tenant to Silver Ticket forging: an attacker with the hash can mint valid service tickets for any federated user. Microsoft now recommends moving to Cloud Kerberos Trust, FIDO2 security keys, or certificate-based authentication for phishing-resistant access.
Choosing Your Protocol: Decision Matrix for On-Prem SSO
Side-by-side comparison: Kerberos, SAML, OIDC, LDAP, FIDO2
Protocol choice dictates your attack surface for the next decade. The matrix below scores each option against the criteria that matter to a security architect deploying on-prem SSO.
| Criterion | Kerberos | SAML | OIDC | LDAP | FIDO2 |
|---|---|---|---|---|---|
| Legacy app support | High | Medium | Low | High | Medium (via AD bridge) |
| Phishing resistance | Low | Low | Medium | Low | High |
| Hybrid readiness | Medium | High | High | Low | High |
| Offline capability | Yes | No | No | Yes | Yes |
| Licensing cost | Included | Variable | Low | Included | Hardware only |
| Deployment complexity | Medium | High | Medium | Low | Low |
| Audit granularity | Medium | High | High | Low | High |
Verdicts: thick clients → Kerberos; web SaaS → SAML or OIDC; RDP/RemoteApp → Kerberos + FIDO2; OT networks → LDAP + FIDO2 bridge.
Decision flowchart and protocol mixing
Mix protocols deliberately. Keep Kerberos for Windows-integrated resources, SAML for federated SaaS proxied to AD, FIDO2 as the universal authenticator. Enforce strict SPN hygiene, consistent UPN claims, and a single session cookie to avoid double prompts.
Three On-Prem SSO Architectures Without ADFS or Entra ID P1/P2
Architecture 1 — Kerberos-only with native Active Directory
Stick to what the domain controller already provides: SPNs registered with setspn, Windows-Integrated Authentication on IIS, and Group Policy pushing browser whitelists. No extra IdP, no cloud dependency. Coverage stops at intranet applications speaking Kerberos or NTLM.
Architecture 2 — SAML proxy bridged to AD for SaaS and legacy web apps
A lightweight SAML appliance bridged to AD for SaaS and legacy web apps (Keycloak, SimpleSAMLphp, Shibboleth) reads users via LDAP, issues assertions to SaaS, and brokers OIDC for modern apps. No Entra Connect, no Intune, no P1/P2 seats. Deployment runs in days on a single VM.
Architecture 3 — FIDO2 + AD authentication bridge for passwordless SSO
The Hideez Server pattern for FIDO2 + AD passwordless SSO pairs FIDO2 keys with an on-prem authentication bridge that issues Kerberos tickets after hardware-backed verification. It covers Windows logon, RDP, and delegation to legacy apps. Enrollment, key recovery and admin console run locally.
Securing On-Prem SSO: Phishing-Resistant Auth and Kerberos Hardening
FIDO2 hardware keys and Kerberos delegation hardening
Hardware key integration follows a predictable path: register the FIDO2 credential against the user object, enable smart card emulation, and let Kerberos PKINIT issue a TGT after the key unlocks the cert. YubiKey, Token2 and Hideez Key all cover Windows logon and RDP through the same flow.
Hardening Kerberos is non-negotiable. Disable unconstrained delegation across the forest, enforce AES-256 only, audit SPNs with setspn -X, and place every Tier 0 identity in the Protected Users group. This neutralises Kerberoasting, golden ticket forging and DCSync paths.
Layering Zero Trust on top of on-prem SSO
The domain controller stays, the implicit trust does not. Add contextual MFA at the IdP, push device posture signals from your endpoint agent, gate admin actions behind just-in-time elevation, and re-evaluate sessions on risk change. The directory keeps running; verification becomes continuous.
Troubleshooting, ADFS Migration and Compliance
Top failure modes and diagnostic commands
Most on-prem SSO incidents trace back to six recurring faults. DCLocator timeouts surface when the client cannot reach a writable DC; confirm with nltest /dsgetdc:contoso.corp.com and check site affinity. NETBIOS resolution errors returning STATUS_BAD_VALIDATION_CLASS 0xc00000a7 indicate the application sent contoso\user instead of a UPN; force user@contoso.corp.com syntax. UPN mismatches break SAML assertions, Kerberos clock skew beyond 5 minutes invalidates tickets (audit with w32tm /monitor), duplicate SPNs prevent ticket issuance (setspn -X finds them), and broken certificate chains kill PKINIT. Use klist purge then klist to inspect cached tickets.
Migrating from ADFS and mapping to NIS2, GDPR, HIPAA, PCI-DSS
Retire ADFS in phases: inventory relying parties, classify by protocol (WS-Fed versus SAML or OIDC), select a target stack, run coexistence, then cut over. Map controls to NIS2 Art. 21, GDPR Art. 32, HIPAA §164.312(a)(2)(i) and PCI-DSS 8.3-8.5.
Frequently Asked Questions
Can I configure on-prem SSO without ADFS or full Microsoft Entra ID P1/P2 licensing?
Yes. A Kerberos-only design backed by Active Directory delivers single sign-on for domain-joined workstations without any cloud tier. For modern apps, pair a lightweight SAML proxy or an on-prem identity provider with AD as the directory source. Hideez Server combined with FIDO2 keys covers Windows logon, RDP and legacy resources without Entra ID P1/P2.
Which FIDO2 hardware keys support passwordless on-prem SSO with Active Directory?
Any FIDO2-certified authenticator works, including Hideez Key, YubiKey and Feitian. For on-prem AD, the key must support the WebAuthn user verification flow and pair with a server that brokers Kerberos tickets after attestation.
How do Entra-only joined devices access on-prem file shares and legacy applications?
Through Cloud Kerberos Trust or an on-prem authentication server that issues TGTs after FIDO2 verification, giving the device a valid Kerberos session for UNC paths and Windows-integrated apps.
Ready to retire ADFS and deploy phishing-resistant SSO across your hybrid estate? Book a technical demo with the Hideez team or explore the Hideez partner program to bring FIDO2 passwordless access to your clients.