AVD SSO Broken

Copper Contributor

Setup AVD's with a local DC

Setup SSO

All was working as expecting (Passing AAD creds through and authenticating locally). 

I had moved all users into a specific OU, and adjusted AD Sync to only sync that OU, Afterwards, I found SSO wasn't working. If I disable the "Attempt to sign in with AAD creds", I get prompted for local creds and can login fine. 

I undid the changes I made and started Syncing all OU's again, no change

I removed and re-added the Azure Kerbros server object, no change. 

MSFT hasn't been able to help. 

Any Thoughts would be great!

3 Replies

@landymilner 

Any GPO applied and what is the setting?

@landymilner 

Did you change both the Azure AD authentication and Credentials Security Support Provider back to Not Configured?

 

GIS_DaveS_0-1682342655108.png

 

@landymilner 

 

My AAD SSO broke several times because the user accounts were added to either "Domain Admins" or "Administrators" group in AD. If you open your AzureADKerberos object in ADUC and go to properties/Password Replication Policy tab, you will see many Deny entries. It is possible you may have inadvertently added your AVD users to any of these groups. Try removing group membership to these groups and try logging in again.