Hi, we are just running a POC of WIndows Virtual Desktop and wondering what the options are regarding single sign on? In our current deployment we're using an IaaS AD with Azure AD Sync and Single Sign on enabled. Upon launching the web client or subscribing to a feed with the Remote Desktop app, credentials are entered which successfully lists the available resources. When a resource is launched the user must authenticate with the same credentials again. Obviously a dual authentication is not ideal! Is the only option here to use ADFS ? Thanks

Hi, thanks very much for taking the time to reply. This is unfortunate as we are trying to phase out ADFS for our customers! (as seems to be the general direction in Microsoft) - Can you tell me if there's anything on the roadmap for WVD to support a more modern authentication approach / direct to Azure AD?Thanks, James

jcookintegy : Yes, we have it in our backlog. We're investigating the work with Azure AD so we don't have a specific timeframe for it yet, but it one of the top concerns across the board, so we are definitely prioritizing this. Also, jcookintegy , can you go ahead and create or upvote a feedback item at our UserVoice. Thanks!

Christian_Montoya Any update on this? Two issues I am seeing so far: 1. WVD web front end / RDP client prompt for credentials, and then the Windows session itself prompts for the credentials.2. And then, once inside the Windows 10 session, OneDrive prompts for credentials inside the session along with all other services that use Azure AD, instead of SSO.

davidlloyd Indeed too much authentications prompts for now. Let's dream a little bit : i login on my endpoint with my Azure AD account (Windows Hello active - device managed through Endpoint management), then i launch Remote App client, sso occurs, then i launch my wvd session, sso occurs, then i launch an office 365 app, sso occurs, could become a great user experience and all this with AADDS service setup. For now, it's still a dream 😉

etienne-coppin davidlloyd - It sounds like your credential prompts once in the WVD session could be removed by configuring hybrid Azure-Ad Join for your session hosts. I am still baffled that the Remote Desktop client prompts for credentials when you subscribe to a feed even when on an Azure AD / Hybrid Joined device, surely the app could be configured to autoconfigure and use the existing token as it would if you browsed to portal.office..com in edge The second prompt is understandable as you are switching to kerberos but it would also be great if this was modern auth 😉

WVD Single Sign On / Double Authentication

20 Replies

Jeffrey Aucay
Copper Contributor
Nov 10, 2021
[Edit] I know this is not the non-ADFS solution people were hoping for, but for the ones that do have it rolled out/plan to roll it out, I just wanted to mention this in this thread.

After a lot searching, I found some documentation that can help -> https://docs.microsoft.com/en-us/azure/virtual-desktop/configure-adfs-sso

I was able to implement it with a test environment in Azure on a single subnet with dedicated VMs for ADCS, ADDS, ADFS and one workstation. VM images used were Windows Server 2022 and Windows 10 21H1. AVD was set up with one session host with Windows 11. I used the certificate method to configure the key vault for AVD. To set up the prerequisites, I followed the Hybrid AD Certificate Trust model for Windows Hello for Business (WHfB) found here -> https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install . If you fully configure WHfB, you can reuse the enrollment certificate template to deploy the ADFS SSO certificate.

It took a bit of work to set it up so if you bump into issues, just reply to me and i'll try to help the best way i can.
Sample Setup Azure Sandbox.mp45.1 MB
- DonShappelle
  Copper Contributor
  Nov 10, 2021
  Jeffrey Aucaywe have hybrid set up and ad-connect job runs regularly on an OU so as machines are built they are synced. We have a few GPOs for browsers as well and from my testing, it looks like we can log in as our domain account and need to do nothing more than push the 2fa for the MS account related needs, no double auth. Pretty sweet.
Christian_Montoya
Microsoft
Feb 11, 2020
jcookintegy : We are working on validating and releasing documentation for the single sign-on configuration with ADFS (which has been a little delayed). Unfortunately, this is the only mechanism for a true single sign-on mechanism at the moment, because in the other flows we never see the credentials that you pass to Azure AD (only Azure AD sees them). This issue is averted when using ADFS, since your own authority is issuing the the token and can then later exchange that token for a smartcard certificate for logon.
- mustafacerit
  MCT
  Dec 30, 2020
  Christian_Montoya Is there an update on this topic?
  
  Our customers are not satisfied with this situation at all.
  - Tim Koopmans
    Copper Contributor
    Apr 14, 2021
    Christian_Montoya Is a SSO solution in sight? Would be much appreciated!!
- lightupdifire
  Brass Contributor
  Aug 24, 2020
  Hello, many Azure AD customers try to phase out ADFS and try to use Passwordless and go Cloud only as much as possible. Also deploying Windows Hello for Business is not an option anymore as it requires one or another on-premise environment. Would be good to have a "light" solution for WVD that uses SSO, so can easily go Passwordless and stay independent from ADFS.
- Lance_Peterson
  Copper Contributor
  Mar 22, 2020
  Christian_Montoya Can you please provide more details on the ADFS SSO for WVD. Has the documentation been released yet, or are there any scripts to help us get this setup. We too would like to avoid the extra sign-ins.
  
  Thanks!
  - nmitra
    Copper Contributor
    Mar 22, 2020
    Lance_Peterson
    
    Appreciate if we can get the solution for SSO with ADFS.

Forum Discussion

WVD Single Sign On / Double Authentication

20 Replies

Resources