Feb 09 2020 10:24 AM
Hi, we are just running a POC of WIndows Virtual Desktop and wondering what the options are regarding single sign on? In our current deployment we're using an IaaS AD with Azure AD Sync and Single Sign on enabled. Upon launching the web client or subscribing to a feed with the Remote Desktop app, credentials are entered which successfully lists the available resources. When a resource is launched the user must authenticate with the same credentials again. Obviously a dual authentication is not ideal! Is the only option here to use ADFS ? Thanks
Feb 11 2020 09:14 AM
@jcookintegy : We are working on validating and releasing documentation for the single sign-on configuration with ADFS (which has been a little delayed). Unfortunately, this is the only mechanism for a true single sign-on mechanism at the moment, because in the other flows we never see the credentials that you pass to Azure AD (only Azure AD sees them). This issue is averted when using ADFS, since your own authority is issuing the the token and can then later exchange that token for a smartcard certificate for logon.
Feb 13 2020 06:29 AM
Feb 13 2020 08:38 AM
@jcookintegy : Yes, we have it in our backlog. We're investigating the work with Azure AD so we don't have a specific timeframe for it yet, but it one of the top concerns across the board, so we are definitely prioritizing this.
Also, @jcookintegy , can you go ahead and create or upvote a feedback item at our UserVoice. Thanks!
Mar 22 2020 09:52 AM
@Christian_Montoya Can you please provide more details on the ADFS SSO for WVD. Has the documentation been released yet, or are there any scripts to help us get this setup. We too would like to avoid the extra sign-ins.
Thanks!
Mar 22 2020 01:45 PM
Apr 06 2020 02:41 AM
@Christian_Montoya , any updates on when the SSO documentation will be released?
Kind regards,
Thomas
Apr 21 2020 08:17 PM
@Christian_Montoya Any update on this? Two issues I am seeing so far:
1. WVD web front end / RDP client prompt for credentials, and then the Windows session itself prompts for the credentials.
2. And then, once inside the Windows 10 session, OneDrive prompts for credentials inside the session along with all other services that use Azure AD, instead of SSO.
May 24 2020 01:29 PM
@davidlloyd Indeed too much authentications prompts for now. Let's dream a little bit : i login on my endpoint with my Azure AD account (Windows Hello active - device managed through Endpoint management), then i launch Remote App client, sso occurs, then i launch my wvd session, sso occurs, then i launch an office 365 app, sso occurs, could become a great user experience and all this with AADDS service setup. For now, it's still a dream 😉
May 24 2020 02:02 PM
@etienne-coppin @davidlloyd - It sounds like your credential prompts once in the WVD session could be removed by configuring hybrid Azure-Ad Join for your session hosts.
I am still baffled that the Remote Desktop client prompts for credentials when you subscribe to a feed even when on an Azure AD / Hybrid Joined device, surely the app could be configured to autoconfigure and use the existing token as it would if you browsed to portal.office..com in edge
The second prompt is understandable as you are switching to kerberos but it would also be great if this was modern auth 😉
Aug 23 2020 11:44 PM
Sep 25 2020 06:31 AM
Hi @Christian_Montoya , we have users who are independent therapists contracted to provide services. Their only IT is a laptop, they have nothing 'on prem', and they are required to use an app which we provide as an Azure remote app. We have nothing 'on prem' either!
We are trying to resolve the double signon experience - is there, or will there be, a solution for our use case?
Thanks,
Jack
Sep 25 2020 09:25 AM
@Auntiejack56 We are investigating SSO. As of today, isnt it possible to use the Windows client and save the password? If you save the password, it shouldnt prompt you twice.
Sep 25 2020 04:00 PM
Hi and thanks. Edge will save the first password (when logging in via aka.ms/wvdarmweb). Chrome won't, so I'll recommend clients to use Edge for the time being. (I tried adding manually via Credentials Manager but that made no difference to either browser.)
Jack
Oct 27 2020 11:54 PM
looking forward to the modernized feature.
Nov 24 2020 10:57 PM
Dec 30 2020 05:24 AM
@Christian_Montoya Is there an update on this topic?
Our customers are not satisfied with this situation at all.
Jun 03 2021 06:29 PM - edited Jun 03 2021 06:30 PM
Yes we are curious as well, as we have azure sso and hybrid enabled but can’t seem to find the special sauce, if it exists. Thanks!
@Christian_Montoya
Nov 10 2021 10:08 AM - edited Nov 10 2021 10:12 AM
[Edit] I know this is not the non-ADFS solution people were hoping for, but for the ones that do have it rolled out/plan to roll it out, I just wanted to mention this in this thread.
After a lot searching, I found some documentation that can help -> Configure AD FS single sign-on for Azure Virtual Desktop
I was able to implement it with a test environment in Azure on a single subnet with dedicated VMs for ADCS, ADDS, ADFS and one workstation. VM images used were Windows Server 2022 and Windows 10 21H1. AVD was set up with one session host with Windows 11. I used the certificate method to configure the key vault for AVD. To set up the prerequisites, I followed the Hybrid AD Certificate Trust model for Windows Hello for Business (WHfB) found here -> Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation . If you fully configure WHfB, you can reuse the enrollment certificate template to deploy the ADFS SSO certificate.
It took a bit of work to set it up so if you bump into issues, just reply to me and i'll try to help the best way i can.