Forum Discussion
Entra Joined Device seamless SSO not working for on premise web app windows authentication
Our device is Entra registered and has line of sight to our Active Directory Domain Controller. We also have password less setup using FIDO key authentication as per instructions on the following https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises,
Seamless SSO is working perfectly for windows authentication-based services such as SSMS as well as network shares without prompting for a password prompt but strangely is not working for our web app configured for Windows Authentication in IIS. The browser keeps prompting for a username and password. Because authentication is FIDO key based, there is no password that can be entered and neither does the prompt provide a FIDO option to enter the security key pin.
I've tried various Windows Authentication measures such as prioritizing NTLM over negotiate, removing negotiate entirely but to no avail. One thing to note is that the browser is prompting for passwords even when I try to access the application on the IIS server itself. Oddly, SSMS and Network File Shares seem to be working seamlessly.
I have also tried various browsers such as Edge, Chrome and Firefox and they all seem to be asking the prompt.
What am I missing? What can I debug to check where the issues are?
- Solved!
While Entra ID does provide Seamless SOO to get access to on-premise resources (as long as there is a line of sight to the domain controller from the connecting PC), there are a few configuration elements that are easy to overlook.
1. You MUST configure Microsoft Edge group policies to add `https://autologon.microsoftazuread-sso.com` in the `AuthNegotiateDelegateAllowlist` and `AuthServerAllowlist` policy settings. The documentation gives the feeling that this step is optional but it is required. If you do not have the Edge group policy, you must download and set it up separately following instructions on this [link](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge).
2. In the same policy settings, you must also add your domain. For example, if your domain is X.com or Y.X.com, then the group policy should read like `*X.com,*Y.X.com,https://autologon.microsoftazuread-sso.com`. If you do not add subdomains (like in my case) then windows auth will NOT work over SSL. Make sure you restart edge whenever you update them just to make sure these take effect.
With these steps, windows auth works perfectly to on-premise webservers for Entra Joined devices.
1 Reply
- Solved!
While Entra ID does provide Seamless SOO to get access to on-premise resources (as long as there is a line of sight to the domain controller from the connecting PC), there are a few configuration elements that are easy to overlook.
1. You MUST configure Microsoft Edge group policies to add `https://autologon.microsoftazuread-sso.com` in the `AuthNegotiateDelegateAllowlist` and `AuthServerAllowlist` policy settings. The documentation gives the feeling that this step is optional but it is required. If you do not have the Edge group policy, you must download and set it up separately following instructions on this [link](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge).
2. In the same policy settings, you must also add your domain. For example, if your domain is X.com or Y.X.com, then the group policy should read like `*X.com,*Y.X.com,https://autologon.microsoftazuread-sso.com`. If you do not add subdomains (like in my case) then windows auth will NOT work over SSL. Make sure you restart edge whenever you update them just to make sure these take effect.
With these steps, windows auth works perfectly to on-premise webservers for Entra Joined devices.