Nov 21 2019 10:28 AM
Hello,
Our organization is currently implementing OneDrive for Business as a solution.
I have configured the GPO, with the following enabled:
Silently sign in users to the OneDrive sync client with their Windows credentials
The goal is for the user to be automatically logged in to Onedrive (without having to type in credentials) every time the user logs onto his computer.
However, this does not work. When a user logs on to his computer, he must log in to one drive. Subsequent boots work correctly with SSO.
Our company is using Password Hash Synchronization.
I think the problem lies with the intranet site and trusted site definition for internet explorer. I am not certain which sites should be added here.
I previously worked at another company where federated services were used instead. After adding the site: https://sts.domainname.com to the intranet site (site zone assignments), I was able to autoamitcally sign in to OneDrive for Business sync client (and connect to ODFB space in the cloud).
I am not certain why it is not working at my current organization.
Any assistance / guidance would be greatly appreciated.
Thanks!
Mark
Nov 22 2019 10:10 AM
PHS on its own does not provide SSO capabilities. You need to have the Azure AD Connect Seamless SSO feature enabled as detailed for example here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Nov 25 2019 06:52 AM - edited Nov 25 2019 06:54 AM
@Vasil Michev Hi Vasil, Thank you for the information. You were correct, the SSO feature was not enabled. I enabled it and I am able to connect directly to my cloud space without any issue (when I open a browser).
However, SSO for Onedrive sync client still does not work. A user still has to login to Onedrive sync client one time in order for it to work. SSO then works for subsequent connections of user logging on.
Could you offer some suggestions on how to resolve this?
This worked perfectly well at the other company that I configured, so there must be one minor configuration parameter that is missing.
Any suggestions / guidance would be greatly appreciated.
Thanks,
BanqMark
Nov 25 2019 09:31 AM
You need to preconfigure the account. Again, documented online: https://docs.microsoft.com/en-us/onedrive/use-group-policy#SilentAccountConfig
The user will still need to select which folders to sync, etc.
Nov 25 2019 09:40 AM - edited Nov 25 2019 09:40 AM
@Vasil Michev Hello Vasil,
The GPO is set correctly, but the ODFB sync client does not automatically connect.
Could it be that the device (computer) must be azure ad joined in order for this to work as I would like it to?
We are using password hash for aad sync. The other organization is using federated services and devices were not azure ad joined, but SSO works with ADFB sync client. All I did for them was add sts.domainname.com in site size assignment, local intranet and it worked.
Nov 25 2019 10:19 AM
Yes, Azure AD Join is a requirement for this specific scenario.
Feb 27 2020 03:27 AM
I would recommend add below key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to OneDrive to run Silently.
Key Name : OneDrive
Key Value : C:\Users\%Username%\AppData\Local\Microsoft\OneDrive\OneDrive.exe /silent
Hope this helps.