Forum Discussion
Solved
Entra Joined Device seamless SSO not working for on premise web app windows authentication
Our device is Entra registered and has line of sight to our Active Directory Domain Controller. We also have password less setup using FIDO key authentication as per instructions on the following htt...
- Solved!
While Entra ID does provide Seamless SOO to get access to on-premise resources (as long as there is a line of sight to the domain controller from the connecting PC), there are a few configuration elements that are easy to overlook.
1. You MUST configure Microsoft Edge group policies to add `https://autologon.microsoftazuread-sso.com` in the `AuthNegotiateDelegateAllowlist` and `AuthServerAllowlist` policy settings. The documentation gives the feeling that this step is optional but it is required. If you do not have the Edge group policy, you must download and set it up separately following instructions on this [link](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge).
2. In the same policy settings, you must also add your domain. For example, if your domain is X.com or Y.X.com, then the group policy should read like `*X.com,*Y.X.com,https://autologon.microsoftazuread-sso.com`. If you do not add subdomains (like in my case) then windows auth will NOT work over SSL. Make sure you restart edge whenever you update them just to make sure these take effect.
With these steps, windows auth works perfectly to on-premise webservers for Entra Joined devices.
Solved!
While Entra ID does provide Seamless SOO to get access to on-premise resources (as long as there is a line of sight to the domain controller from the connecting PC), there are a few configuration elements that are easy to overlook.
1. You MUST configure Microsoft Edge group policies to add `https://autologon.microsoftazuread-sso.com` in the `AuthNegotiateDelegateAllowlist` and `AuthServerAllowlist` policy settings. The documentation gives the feeling that this step is optional but it is required. If you do not have the Edge group policy, you must download and set it up separately following instructions on this [link](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge).
2. In the same policy settings, you must also add your domain. For example, if your domain is X.com or Y.X.com, then the group policy should read like `*X.com,*Y.X.com,https://autologon.microsoftazuread-sso.com`. If you do not add subdomains (like in my case) then windows auth will NOT work over SSL. Make sure you restart edge whenever you update them just to make sure these take effect.
With these steps, windows auth works perfectly to on-premise webservers for Entra Joined devices.
While Entra ID does provide Seamless SOO to get access to on-premise resources (as long as there is a line of sight to the domain controller from the connecting PC), there are a few configuration elements that are easy to overlook.
1. You MUST configure Microsoft Edge group policies to add `https://autologon.microsoftazuread-sso.com` in the `AuthNegotiateDelegateAllowlist` and `AuthServerAllowlist` policy settings. The documentation gives the feeling that this step is optional but it is required. If you do not have the Edge group policy, you must download and set it up separately following instructions on this [link](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge).
2. In the same policy settings, you must also add your domain. For example, if your domain is X.com or Y.X.com, then the group policy should read like `*X.com,*Y.X.com,https://autologon.microsoftazuread-sso.com`. If you do not add subdomains (like in my case) then windows auth will NOT work over SSL. Make sure you restart edge whenever you update them just to make sure these take effect.
With these steps, windows auth works perfectly to on-premise webservers for Entra Joined devices.