Forum Discussion
Windows Admin Center - Single Sign On Configuration
I am struggling with the directions for configuring Single Sign-On for Windows Admin Center. I installed WAC on a Windows Server 2016 server (with desktop experience). The server name is "wac01". I am trying to connect to WAC from my desktop (which is named "desk01"). I open Microsoft Edge, and type in the URL to WAC on "wac01". That URL is https://wac01/. I get prompted to sign-in. What I want to happen is that WAC doesn't prompt me to sign in, and instead passes my AD credentials to WAC seamlessly. The instructions say the following...
If you're going to use WAC on Windows Server, you need to set up some form of Kerberos delegation in your environment. The delegation configures the gateway computer as trusted to delegate to the target node.
What is the "gateway computer" in this case? Is it the server that I have installed WAC on (wac01)?
What is the "target node" in this case? is it my desktop (desk01)?
Thanks in advance!
For those who have a clustered version of WAC, this is how we did the same thing, but included both of our nodes:
[System.Collections.ArrayList]$nodes = @() $nodes.Add((Get-ADComputer "WAC1")) $nodes.Add((Get-ADComputer "WAC2")) Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $nodes- Wait what.
you said you installed WAC on Windows server and then you said you are trying to connect to that WAC from your desktop!
it's not possible. WAC is an agent-less tool. you don't need to install it on the OS you're going to mange. you only need to install it on the manager OS. so in your case you have to uninstall it from your Windows server and install it on your desktop PC. Then, you can connect to your Windows server from desktop using WAC installed on desktop.It is absolutely "possible" - it's referred to as "Gateway Server" type of installation. It's how I run it. You can't connect remotely to a windows 10 installed version, it is stand alone and can only be used on that machine. If you install it on a server, then you can connect to it from other machines.
- "You can't connect remotely to a windows 10 installed version, it is stand alone and can only be used on that machine." what?
of course i can.
if i install WAC on a Windows 10 i can then use it to control ANY computer/server on my domain.
If i install WAC on a Windows server, I can ALSO then use it to control ANY computer/server/cluster on my domain.
i mean if you don't know i can tell you how but don't say it's not possible because i've done it. Windows Server 2019 and Windows 10 pro latest version.
by the way, the gateway server method is waste of hardware, even if you virtualize it. the whole point of WAC is to have a light weight web based program that can be installed on almost any modern computer/server.
As far as I found out, the Gateway is the windows server where WAC is installed and run as a service. Target node is the computer you want to manage.
For my case, I had to cycle through all computers (fortunately only 43) and run this commands for trusted delegation. Hopefully there is an easier way, so someone can enlighten us, but if not, this worked for me.
- You could always run:
$gateway = "gateway" # Machine where Windows Admin Center is installed
$gatewayObject = Get-ADComputer -Identity $gateway
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $gatewayObject
This would configure it for all servers in the domain.
Edge should support Windows Integrated Authentication natively without any prompts by default, so if it's prompting either you missed the required steps to delegate your gateway for Kerberos (see here... https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control) or something else in your environment is disabling Windows Integrated Auth experience in the browser.
As for Chrome, I found out today you can enable Windows Integrated Auth in modern versions of Chrome with the information found here...
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
I only get prompted using Firefox. I do not get prompted with Edge or Chrome browser.
What browser are you using? Only Edge and Chrome are currently supported.
Also, the single sign refers to selecting a target node and not getting prompted to enter credentials for every server in your list. You could also check the option "Use these credentials for all connections" when managing a targer server/workstation. That option is only good until you end that browser session.
