Sometime last year I achieved seamless SSO in our corporate environment with the following tools:
Windows 10 Clients
IE11 (by adding some URLs to the intranet/trusted zones)
Chrome (with some trickery on ADFS to get this working)
and generally adding the whr parameter to bookmarks deployed via GPO
Azure AD Connect
ADFS onPrem with 2012 R2 (domain is generally on 2012 R2 level)
but with the latest changes over last couple of months, this setup stopped working. I need some guidance as I no longer know what the absolute best way to deploy seamless SSO is. These are the tools at my disposal:
Windows 10 v1709 onPrem domain joined/AAD hybrid joined devices
(I'd like it work with all 3 browsers preferably)
Proper setup UPN for all users
MFA active on all users
except for onPrem IP-Range
Windows Server 2012 R2 onPrem
if 2016 is a requirement for this, I'll happily upgrade somehow
Azure AD Connect
SCCM (latest), incl. Hybrid AAD Joined Devices - but Windows 10 is mostly managed by SCCM and not Intune.
I have no requirement for authentication to happen onPrem, I just did it because it allowed for true SSO back then.
I basically NEVER want an authentication prompt, neither username or password, within my corporate environment. As in, a freshly deployed machine with a brand new user account automatically signs into www.office.com on the very first try, no fuss ;)
This video is for the understanding of Pass through authentication with seamless SSO. Please click on the below mentioned link to check more details as per Microsoft. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-how-it-works Also do check the ...