WVD Single Sign On / Double Authentication

Copper Contributor

Hi, we are just running a POC of WIndows Virtual Desktop and wondering what the options are regarding single sign on? In our current deployment we're using an IaaS AD with Azure AD Sync and Single Sign on enabled. Upon launching the web client or subscribing to a feed with the Remote Desktop app, credentials are entered which successfully lists the available resources. When a resource is launched the user must authenticate with the same credentials again. Obviously a dual authentication is not ideal! Is the only option here to use ADFS ? Thanks

 

 

20 Replies

@jcookintegy : We are working on validating and releasing documentation for the single sign-on configuration with ADFS (which has been a little delayed). Unfortunately, this is the only mechanism for a true single sign-on mechanism at the moment, because in the other flows we never see the credentials that you pass to Azure AD (only Azure AD sees them). This issue is averted when using ADFS, since your own authority is issuing the the token and can then later exchange that token for a smartcard certificate for logon.

Hi, thanks very much for taking the time to reply. This is unfortunate as we are trying to phase out ADFS for our customers! (as seems to be the general direction in Microsoft) - Can you tell me if there's anything on the roadmap for WVD to support a more modern authentication approach / direct to Azure AD?

Thanks, James

@jcookintegy : Yes, we have it in our backlog. We're investigating the work with Azure AD so we don't have a specific timeframe for it yet, but it one of the top concerns across the board, so we are definitely prioritizing this.

 

Also, @jcookintegy , can you go ahead and create or upvote a feedback item at our UserVoice. Thanks!

@Christian_Montoya Can you please provide more details on the ADFS SSO for WVD.  Has the documentation been released yet, or are there any scripts to help us get this setup.  We too would like to avoid the extra sign-ins.

 

Thanks!

@Lance_Peterson 

 

Appreciate if we can get the solution for SSO with ADFS.

@Christian_Montoya , any updates on when the SSO documentation will be released?

 

Kind regards,

Thomas

@Christian_Montoya Any update on this? Two issues I am seeing so far:

 

1. WVD web front end / RDP client prompt for credentials, and then the Windows session itself prompts for the credentials.

2. And then, once inside the Windows 10 session, OneDrive prompts for credentials inside the session along with all other services that use Azure AD, instead of SSO.

@davidlloyd Indeed too much authentications prompts for now. Let's dream a little bit :  i login on my endpoint with my Azure AD account (Windows Hello active - device managed through Endpoint management), then i launch Remote App client, sso occurs, then i launch my wvd session, sso occurs, then i launch an office 365 app, sso occurs, could become a great user experience and all this with AADDS service setup. For now, it's still a dream 😉

@etienne-coppin @davidlloyd  - It sounds like your credential prompts once in the WVD session could be removed by configuring hybrid Azure-Ad Join for your session hosts. 

 

I am still baffled that the Remote Desktop client prompts for credentials when you subscribe to a feed even when on an Azure AD / Hybrid Joined device, surely the app could be configured to autoconfigure and use the existing token as it would if you browsed to portal.office..com in edge

 

The second prompt is understandable as you are switching to kerberos but it would also be great if this was modern auth 😉

Hello, many Azure AD customers try to phase out ADFS and try to use Passwordless and go Cloud only as much as possible. Also deploying Windows Hello for Business is not an option anymore as it requires one or another on-premise environment. Would be good to have a "light" solution for WVD that uses SSO, so can easily go Passwordless and stay independent from ADFS.

Hi @Christian_Montoya , we have users who are independent therapists contracted to provide services. Their only IT is a laptop, they have nothing 'on prem', and they are required to use an app which we provide as an Azure remote app. We have nothing 'on prem' either!

We are trying to resolve the double signon experience - is there, or will there be, a solution for our use case? 

Thanks,

Jack

@Auntiejack56 We are investigating SSO. As of today, isnt it possible to use the Windows client and save the password? If you save the password, it shouldnt prompt you twice.

@PavithraT 

Hi and thanks. Edge will save the first password (when logging in via aka.ms/wvdarmweb). Chrome won't, so I'll recommend clients to use Edge for the time being. (I tried adding manually via Credentials Manager but that made no difference to either browser.)

Jack

looking forward to the modernized feature.

Is there any new to this feature?
I don’t find it on the roadmap.

@Christian_Montoya Is there an update on this topic?

 

Our customers are not satisfied with this situation at all.

@Christian_Montoya  Is a SSO solution in sight?  Would be much appreciated!!

Yes we are curious as well, as we have azure sso and hybrid enabled but can’t seem to find the special sauce, if it exists. Thanks!
@Christian_Montoya

[Edit] I know this is not the non-ADFS solution people were hoping for, but for the ones that do have it rolled out/plan to roll it out, I just wanted to mention this in this thread.

 

After a lot searching, I found some documentation that can help -> Configure AD FS single sign-on for Azure Virtual Desktop 

 

I was able to implement it with a test environment in Azure on a single subnet with dedicated VMs for ADCS, ADDS, ADFS and one workstation. VM images used were Windows Server 2022 and Windows 10 21H1. AVD was set up with one session host with Windows 11. I used the certificate method to configure the key vault for AVD. To set up the prerequisites, I followed the Hybrid AD Certificate Trust model for Windows Hello for Business (WHfB) found here -> Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation . If you fully configure WHfB, you can reuse the enrollment certificate template to deploy the ADFS SSO certificate.

It took a bit of work to set it up so if you bump into issues, just reply to me and i'll try to help the best way i can.