PUBLIC PREVIEW: Announcing public preview of SSO using AD FS

%3CLINGO-SUB%20id%3D%22lingo-sub-2388588%22%20slang%3D%22en-US%22%3EPUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388588%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EWe%20are%20excited%20to%20announce%20the%20public%20preview%20of%20single%20sign-on%20(SSO)%20using%20Active%20Directory%20Federation%20Services%20(AD%20FS)%20for%20Windows%20Virtual%20Desktop.%20This%20feature%20allows%20customers%20who%20use%20AD%20FS%20to%20configure%20their%20host%20pool%20to%20enable%20a%20single%20sign-on%20experience%2C%20removing%20the%20second%20credential%20prompt%20for%20the%20session%20host.%20This%20functionality%20is%20supported%20when%20using%20the%20Windows%20and%20web%20clients.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%22%3EGetting%20started%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EThe%20documentation%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fconfigure-adfs-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Econfigure%20AD%20FS%20single%20sign-on%3C%2FA%3E%20will%20guide%20you%20through%20the%20key%20steps%20needed%20to%20enable%20this%20functionality%20including%3A%3C%2FP%3E%0A%3CUL%20style%3D%22margin-left%3A%20.375in%3B%20direction%3A%20ltr%3B%20unicode-bidi%3A%20embed%3B%20margin-top%3A%200in%3B%20margin-bottom%3A%200in%3B%22%20type%3D%22disc%22%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EConfiguring%20your%20certificate%20authority%20to%20issue%20certificates%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EConfiguring%20your%20AD%20FS%20server%20with%20a%20relying-party%20trust%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EConfiguring%20your%20Windows%20Virtual%20Desktop%20host%20pool%20to%20enable%20SSO%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2388588%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ewvdupdate%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2390184%22%20slang%3D%22en-US%22%3ERE%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2390184%22%20slang%3D%22en-US%22%3EGreat%2C%20we%20just%20spent%20over%206%20months%20to%20move%20all%20our%20ADFS%20Apps%20to%20Azure%20AD%20(to%20decom%20ADFS)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2396547%22%20slang%3D%22en-US%22%3ERE%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2396547%22%20slang%3D%22en-US%22%3EYeah%2C%20this%20news%20is%20actually%20more%20of%20a%20disappoint%20than%20anything%20else.%20Microsoft%20is%20adding%20more%20reasons%20to%20stick%20with%20AD%2BADFS%20rather%20than%20move%20to%20Azure%20AD%2C%20which%20my%20company%20did%20over%20a%20year%20ago.%20Give%20us%20WVD%20single%20sign%20on%20with%20Azure%20AD!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398144%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398144%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfigured%20the%20environment%20exactly%20as%20per%20the%20article%20however%20still%20not%20getting%20SSO%20to%20session%20host%2C%20I%20am%20missing%20anything%20%3F%3C%2FP%3E%3CP%3EEnvironment%20%3A%20ADFS%20hosted%20in%202019%20win%20server%26nbsp%3B%3C%2FP%3E%3CP%3EWVD%26nbsp%3B%20hosts%20%3A%20win10%2020H2%20multisession%26nbsp%3B%3C%2FP%3E%3CP%3EClient%20%3A%20Web%20browser%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Kubaib_0-1622303915184.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284833i2EC1E0A6C70872E7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Kubaib_0-1622303915184.png%22%20alt%3D%22Kubaib_0-1622303915184.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2399281%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2399281%22%20slang%3D%22en-US%22%3Egood%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2399676%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2399676%22%20slang%3D%22en-US%22%3EI'm%20really%20scratching%20my%20head%20here.%20WVD's%20in%20Azure%20going%20backward%20to%20ADFS%20for%20SSO%3F%20Really%3F%3CBR%20%2F%3EGiven%20WVD's%20(in%20Azure)%20current%20SSO%20option%20is%20tied%20to%20line-of-site%20Domain%20Controllers%20(the%20MVD's%20are%20joined%20to%2C%20or%20through%20a%20Domain%20Trust%2C%20etc.).%20So%20adding%20ADFS%20for%20WVDs%20was%20the%20natural%20path.%3CBR%20%2F%3EWhat%20about%20customers%20that%20are%20moving%20client-side%20devices%20to%20Intune%20%26amp%3B%20AzureAD%3F%3CBR%20%2F%3ESigh....%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2400556%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2400556%22%20slang%3D%22en-US%22%3Egood%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2406046%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406046%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1066548%22%20target%3D%22_blank%22%3E%40Kubaib%3C%2FA%3E%2C%20unsure%20if%20you%20are%20still%20having%20issues%20with%20enabling%20SSO.%20It%20looks%20like%20the%20SSL%20certificate%20on%20your%20AD%20FS%20server%20may%20not%20be%20valid%20or%20publicly%20trusted.%20The%20WVD%20service%20isn't%20able%20to%20access%20the%20server.%20You%20can%20also%20enable%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELog%20Analytics%20for%20WVD%3C%2FA%3E%20to%20see%20the%20errors%20for%20yourself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2408243%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2408243%22%20slang%3D%22en-US%22%3Ethank%20you%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2410856%22%20slang%3D%22es-ES%22%3ERE%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410856%22%20slang%3D%22es-ES%22%3EYour%20tablet%20freezes%20and%20the%20system%20is%20failing%3F%20Can't%20turn%20it%20on%3F%20Format%20your%20Android%20tablet%20(Samsung%20Galaxy%20Tab%2C%20Lenovo%2C%20Amazon%2C%20Huawei%2C%20ASUS%2C%20Google%2C%20etc%20here%20is%20my%20WhatsApp%20number%20%2B1%20829%20318%208803%20%2CIf%20you%20forget%20any%20of%20those%20unlock%20options%20it%20is%20very%20safe%20that%20you%20may%20experience%20a%20possible%20panic%20attack.%20However%2C%20before%20going%20to%20technical%20support%20call%2C829%20318%208803%3Abackhand_index_pointing_down%3A%3CA%20href%3D%22https%3A%2F%2Fwa.me%2Fc%2F18293188803%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwa.me%2Fc%2F18293188803%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2411591%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411591%22%20slang%3D%22en-US%22%3Ethank%20you%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2424432%22%20slang%3D%22en-US%22%3ERE%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2424432%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1066019%22%20target%3D%22_blank%22%3E%40kd007%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20coming%20-%26nbsp%3B%3CSTRONG%3EEnhanced%20support%20for%20Azure%20Active%20Directory%20(coming%20soon%20in%20public%20preview)%3C%2FSTRONG%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fazure-virtual-desktop-the-desktop-and-app-virtualization-platform-for-the-hybrid-workplace%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fazure-virtual-desktop-the-desktop-and-app-virtualization-platform-for-the-hybrid-workplace%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2424435%22%20slang%3D%22en-US%22%3ERE%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20SSO%20using%20AD%20FS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2424435%22%20slang%3D%22en-US%22%3EIt's%20coming%20-%20Enhanced%20support%20for%20Azure%20Active%20Directory%20(coming%20soon%20in%20public%20preview)%3A%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fazure-virtual-desktop-the-desktop-and-app-virtualization-plat%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fazure-virtual-desktop-the-desktop-and-app-virtualization-plat%3C%2FA%3E...%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Microsoft

We are excited to announce the public preview of single sign-on (SSO) using Active Directory Federation Services (AD FS) for Windows Virtual Desktop. This feature allows customers who use AD FS to configure their host pool to enable a single sign-on experience, removing the second credential prompt for the session host. This functionality is supported when using the Windows and web clients.

 

Getting started:

 

The documentation to configure AD FS single sign-on will guide you through the key steps needed to enable this functionality including:

  • Configuring your certificate authority to issue certificates
  • Configuring your AD FS server with a relying-party trust
  • Configuring your Windows Virtual Desktop host pool to enable SSO

 

6 Replies
Great, we just spent over 6 months to move all our ADFS Apps to Azure AD (to decom ADFS)
Yeah, this news is actually more of a disappoint than anything else. Microsoft is adding more reasons to stick with AD+ADFS rather than move to Azure AD, which my company did over a year ago. Give us WVD single sign on with Azure AD!

@David Belanger 

 

Configured the environment exactly as per the article however still not getting SSO to session host, I am missing anything ?

Environment : ADFS hosted in 2019 win server 

WVD  hosts : win10 20H2 multisession 

Client : Web browser  

Kubaib_0-1622303915184.png

 

 

I'm really scratching my head here. WVD's in Azure going backward to ADFS for SSO? Really?
Given WVD's (in Azure) current SSO option is tied to line-of-site Domain Controllers (the MVD's are joined to, or through a Domain Trust, etc.). So adding ADFS for WVDs was the natural path.
What about customers that are moving client-side devices to Intune & AzureAD?
Sigh....

Hi @Kubaib, unsure if you are still having issues with enabling SSO. It looks like the SSL certificate on your AD FS server may not be valid or publicly trusted. The WVD service isn't able to access the server. You can also enable Log Analytics for WVD to see the errors for yourself.

@kd007 

It's coming - Enhanced support for Azure Active Directory (coming soon in public preview) https://azure.microsoft.com/en-us/blog/azure-virtual-desktop-the-desktop-and-app-virtualization-plat...