Sometime last year I achieved seamless SSO in our corporate environment with the following tools:
- Windows 10 Clients
- IE11 (by adding some URLs to the intranet/trusted zones)
- Chrome (with some trickery on ADFS to get this working)
- and generally adding the whr parameter to bookmarks deployed via GPO
- Azure AD Connect
- ADFS onPrem with 2012 R2 (domain is generally on 2012 R2 level)
but with the latest changes over last couple of months, this setup stopped working. I need some guidance as I no longer know what the absolute best way to deploy seamless SSO is. These are the tools at my disposal:
- Windows 10 v1709 onPrem domain joined/AAD hybrid joined devices
- (I'd like it work with all 3 browsers preferably)
- Proper setup UPN for all users
- MFA active on all users
- except for onPrem IP-Range
- Windows Server 2012 R2 onPrem
- if 2016 is a requirement for this, I'll happily upgrade somehow
- Azure AD Connect
- SCCM (latest), incl. Hybrid AAD Joined Devices - but Windows 10 is mostly managed by SCCM and not Intune.
I have no requirement for authentication to happen onPrem, I just did it because it allowed for true SSO back then.
I basically NEVER want an authentication prompt, neither username or password, within my corporate environment. As in, a freshly deployed machine with a brand new user account automatically signs into www.office.com on the very first try, no fuss ;)
Please tell me this is still somehow possibly.
