Windows Admin Center - Single Sign On Configuration

Deleted
Not applicable

I am struggling with the directions for configuring Single Sign-On for Windows Admin Center.  I installed WAC on a Windows Server 2016 server (with desktop experience).  The server name is "wac01".  I am trying to connect to WAC from my desktop (which is named "desk01").  I open Microsoft Edge, and type in the URL to WAC on "wac01".  That URL is https://wac01/.  I get prompted to sign-in.  What I want to happen is that WAC doesn't prompt me to sign in, and instead passes my AD credentials to WAC seamlessly. The instructions say the following...

 

If you're going to use WAC on Windows Server, you need to set up some form of Kerberos delegation in your environment. The delegation configures the gateway computer as trusted to delegate to the target node.

 

What is the "gateway computer" in this case?  Is it the server that I have installed WAC on (wac01)?

What is the "target node" in this case?  is it my desktop (desk01)?  

 

Thanks in advance!

 

 

12 Replies

I only get prompted using Firefox. I do not get prompted with Edge or Chrome browser.

What browser are you using? Only Edge and Chrome are currently supported.

 

Also, the single sign refers to selecting a target node and not getting prompted to enter credentials for every server in your list. You could also check the option "Use these credentials for all connections" when managing a targer server/workstation. That option is only good until you end that browser session.

Edge should support Windows Integrated Authentication natively without any prompts by default, so if it's prompting either you missed the required steps to delegate your gateway for Kerberos (see here... https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-co...) or something else in your environment is disabling Windows Integrated Auth experience in the browser.

 

As for Chrome, I found out today you can enable Windows Integrated Auth in modern versions of Chrome with the information found here... 

https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

As far as I found out, the Gateway is the windows server where WAC is installed and run as a service. Target node is the computer you want to manage.

For my case, I had to cycle through all computers (fortunately only 43) and run this commands for trusted delegation. Hopefully there is an easier way, so someone can enlighten us, but if not, this worked for me.

You could always run:
$gateway = "gateway" # Machine where Windows Admin Center is installed
$gatewayObject = Get-ADComputer -Identity $gateway
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $gatewayObject
This would configure it for all servers in the domain.
Wait what.
you said you installed WAC on Windows server and then you said you are trying to connect to that WAC from your desktop!
it's not possible. WAC is an agent-less tool. you don't need to install it on the OS you're going to mange. you only need to install it on the manager OS. so in your case you have to uninstall it from your Windows server and install it on your desktop PC. Then, you can connect to your Windows server from desktop using WAC installed on desktop.

@HotCakeX 

It is absolutely "possible" - it's referred to as "Gateway Server" type of installation. It's how I run it. You can't connect remotely to a windows 10 installed version, it is stand alone and can only be used on that machine. If you install it on a server, then you can connect to it from other machines. 


https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/plan/installation-option... 

"You can't connect remotely to a windows 10 installed version, it is stand alone and can only be used on that machine." what?
of course i can.
if i install WAC on a Windows 10 i can then use it to control ANY computer/server on my domain.
If i install WAC on a Windows server, I can ALSO then use it to control ANY computer/server/cluster on my domain.
i mean if you don't know i can tell you how but don't say it's not possible because i've done it. Windows Server 2019 and Windows 10 pro latest version.
by the way, the gateway server method is waste of hardware, even if you virtualize it. the whole point of WAC is to have a light weight web based program that can be installed on almost any modern computer/server.

@HotCakeX 

It seems I am not speaking clearly, I will try again so hopefully it's understandable. 

If I install WAC on a windows 10 machine named PC1, I can't go to a browser on PC2 and type in http:\\PC1 That is what it means to connect remotely to a windows 10 install of WAC, which you can't. 

Now if you install it on a Server 2016 or 2019 in gateway mode, you can connect to the windows admin center web interface from a remote PC. So I have it installed on Server1, I can connect to WAC from PC1, PC2, Server2, Tablet1, etc.

 

So sure, if you're the only admin that needs to manage your environment, install it on your workstation. A waste of time and effort would be to have several individuals install their own WAC and add the desired endpoints. In gateway mode, I added all the endpoints and now any admin can connect to that instance. 

I sure hope that helps you to understand. 

I understand now,
well how about installing WAC on both PC1 and PC2? it sure is better than dedicating a separate hardware for a gateway, what do you think?
also i think you can do something like this (not sure about the details): for example you can set static internal IP address on PC1 that has WAC, then modify hosts file in PC2 to point the PC1's localhost to its IP address, so when you type in localhost on PC2 it will open up localhost on PC1.

@HotCakeX 

Yeah that just won't work, it just doesn't allow external clients to connect to it. In regards to installing on PC1 and PC2, from my understanding you would need to add the endpoints to manage on both, thus doubling that work. You are right, it is very lightweight. That's why I didn't spin up a new VM for it, just added to an existing server with a custom port. I love the windows admin center. This is what I've been waiting on for a long time. I'm just sad that all the run line commands I've memorized over the years are meaningless with this (almost) all in one management interface. Have a fantastic day. 

mm what do you mean by adding the endpoints to manage on both?

For those who have a clustered version of WAC, this is how we did the same thing, but included both of our nodes:

 

[System.Collections.ArrayList]$nodes = @()
    $nodes.Add((Get-ADComputer "WAC1"))
    $nodes.Add((Get-ADComputer "WAC2"))
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $nodes