Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AAD Seamless Single Sign-On and Chrome

Copper Contributor

Hi,

 

I have deployed AAD Seamless SSO recently and it all works just fine in Edge / IE. However I cannot get the SSO experience to work with Chome. 

I have checked the GPO settings mentioned in Microsofts Documentation.

 

Anyone that knows if there is a problem with the service and Chome at the current version?

9 Replies

@Marcus Pettersson Did you ever get this working? I am having the same issues.

@Rocketrs8 are you using AAD Seamless SSO with PTA or PHS?

@Dominik Hoefling I am using Seamless SSO with PTA. I downloaded the Chrome ADMX files and configured Kerberos delegation server whitelist and Authentication server white list adding autologon.microsoftazuread-sso.com to both. 

Thanks. Did you check the troubleshooting page as well? https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso

 

I haven't any problems with PTA and AAD Seamless SSO (I'm using Chrome for Windows Version 75.0.3770.142). I would suggest to run Fiddler and verify if the browser get the 401 unauthorized response from Azure AD, to provide a Kerberos ticket.

 

I assume that modern authentication is enabled in Exchange Online (this is a prerequisite).

@Dominik Hoefling I didn't have modern authentication turned on however I did that last night. Still not any better. I have looked through that documentation and nothing jumps out. Also, it is quite out dated with certain things. One "big" thing is that Edge doesn't work when actually now it does. 

 

I think Fiddler is a good call. I will give that a bash

@Rocketrs8We are currently encountering the same issue in the chrome browser. Could you please share the information on, how you fixed it?

@Marcus Pettersson 

 

If I am not mistaken, you need to install the Windows 10 Accounts extension for Chrome for Seamless SSO to function.

For anyone trying to resolve this, after my research this is the exact requirements (Chome-side, your Azure AD setup has its own stuff) I needed:

Latest "Chrome Enterprise Policy List": https://support.google.com/chrome/a/answer/187202?hl=en

GPO Settings
User Configuration\Policies\Administrative Templates\Google\Google Chrome\HTTP Authentication
-Kerberos delegation server whitelist
autologon.microsoftazuread-sso.com,aadg.windows.net.nsatc.net
-Authentication server Whitelist
autologon.microsoftazuread-sso.com,aadg.windows.net.nsatc.net
# Needed if you're blocking extensions from being installed to whitelist this one
User Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions
-Configure the list of force-installed apps and extensions (Enabled)
ppnbnpeolgkicgegkbkbjmhlideopiji
-Configure extension installation allow list (Enabled)
ppnbnpeolgkicgegkbkbjmhlideopiji

Note: That extension ID I pulled from https://chrome.google.com/webstore/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji (Windows Accounts)

Thanks for your help, I was able to configure a Seamless Single Sign-On experience on Chrome using the above configuration.