Double authentication in web client

Copper Contributor

Every time I log in to the WVD web client I first get to sign in with the Office 365/AzureAD login experience (with MFA) but when I get to the landing pange and click on my Desktop in the web client I get prompted for e-mail and password once more.

Why am I getting double logins? In the remote desktop client things seems to be full SSO.

5 Replies

@Anders Gidlund : The reason for the double prompt is that--as you mention--the first authentication is the Azure AD (which we never see), but then the second prompt is the Windows login prompt. Windows doesn't accept a token for login, and because we only receive a token from Azure AD, we cannot immediately supply credentials so must prompt again.

 

You might see that in the other Remote Desktop client things seem to be "full SSO" if you select "Remember my password." If you would like, you can save your Windows login credentials as a password through your browser's Password management vault to get the same experience.

@Christian_Montoya : Do you know what the plans are when it comes to supporting SSO in WVD? 

I mean it is kind of supported now, if you log into your portal and have SSO enabled, it let's you right in.  We are using Azure SSO in our environment and it works nicely.  As @Christian_Montoya stated, the local RDS login cannot accept tokens.  That's been my experience with other deployments I've done in the RDS tech as well.

@Thomas Aure 

 

Seems like there is official documentation now. If you are willing to roll out/leverage ADFS, you can set up SSO using this method -> Configure AD FS single sign-on for Azure Virtual Desktop 

 

I was able to implement it with a test environment in Azure on a single subnet with dedicated VMs for ADCS, ADDS, ADFS and one workstation. VM images used were Windows Server 2022 and Windows 10 21H1. AVD was set up with one session host with Windows 11. I used the certificate method to configure the key vault for AVD. To set up the prerequisites, I followed the Hybrid AD Certificate Trust model for Windows Hello for Business (WHfB) found here -> Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation  . If you fully configure WHfB, you can reuse the enrollment certificate template to deploy the ADFS SSO certificate.

 

It took a bit of work to set it up so if you bump into issues, just reply to me and i'll try to help the best way i can.