May 30 2018 12:25 PM
May 30 2018 12:25 PM
I am struggling with the directions for configuring Single Sign-On for Windows Admin Center. I installed WAC on a Windows Server 2016 server (with desktop experience). The server name is "wac01". I am trying to connect to WAC from my desktop (which is named "desk01"). I open Microsoft Edge, and type in the URL to WAC on "wac01". That URL is https://wac01/. I get prompted to sign-in. What I want to happen is that WAC doesn't prompt me to sign in, and instead passes my AD credentials to WAC seamlessly. The instructions say the following...
If you're going to use WAC on Windows Server, you need to set up some form of Kerberos delegation in your environment. The delegation configures the gateway computer as trusted to delegate to the target node.
What is the "gateway computer" in this case? Is it the server that I have installed WAC on (wac01)?
What is the "target node" in this case? is it my desktop (desk01)?
Thanks in advance!
Jun 25 2018 12:58 PM
I only get prompted using Firefox. I do not get prompted with Edge or Chrome browser.
What browser are you using? Only Edge and Chrome are currently supported.
Also, the single sign refers to selecting a target node and not getting prompted to enter credentials for every server in your list. You could also check the option "Use these credentials for all connections" when managing a targer server/workstation. That option is only good until you end that browser session.
Oct 25 2018 11:38 AM
Edge should support Windows Integrated Authentication natively without any prompts by default, so if it's prompting either you missed the required steps to delegate your gateway for Kerberos (see here... https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-co...) or something else in your environment is disabling Windows Integrated Auth experience in the browser.
As for Chrome, I found out today you can enable Windows Integrated Auth in modern versions of Chrome with the information found here...
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
Oct 30 2018 01:38 AM
As far as I found out, the Gateway is the windows server where WAC is installed and run as a service. Target node is the computer you want to manage.
For my case, I had to cycle through all computers (fortunately only 43) and run this commands for trusted delegation. Hopefully there is an easier way, so someone can enlighten us, but if not, this worked for me.
Jul 10 2019 06:05 AM
Jul 24 2019 12:20 PM
Aug 09 2019 01:53 PM
It is absolutely "possible" - it's referred to as "Gateway Server" type of installation. It's how I run it. You can't connect remotely to a windows 10 installed version, it is stand alone and can only be used on that machine. If you install it on a server, then you can connect to it from other machines.
Aug 09 2019 02:02 PM
Aug 09 2019 02:08 PM - edited Aug 09 2019 02:12 PM
It seems I am not speaking clearly, I will try again so hopefully it's understandable.
If I install WAC on a windows 10 machine named PC1, I can't go to a browser on PC2 and type in http:\\PC1 That is what it means to connect remotely to a windows 10 install of WAC, which you can't.
Now if you install it on a Server 2016 or 2019 in gateway mode, you can connect to the windows admin center web interface from a remote PC. So I have it installed on Server1, I can connect to WAC from PC1, PC2, Server2, Tablet1, etc.
So sure, if you're the only admin that needs to manage your environment, install it on your workstation. A waste of time and effort would be to have several individuals install their own WAC and add the desired endpoints. In gateway mode, I added all the endpoints and now any admin can connect to that instance.
I sure hope that helps you to understand.
Aug 09 2019 02:16 PM
Aug 09 2019 02:33 PM
Yeah that just won't work, it just doesn't allow external clients to connect to it. In regards to installing on PC1 and PC2, from my understanding you would need to add the endpoints to manage on both, thus doubling that work. You are right, it is very lightweight. That's why I didn't spin up a new VM for it, just added to an existing server with a custom port. I love the windows admin center. This is what I've been waiting on for a long time. I'm just sad that all the run line commands I've memorized over the years are meaningless with this (almost) all in one management interface. Have a fantastic day.
Aug 09 2019 03:30 PM
Jun 25 2022 07:00 AM - edited Jun 25 2022 07:01 AM
For those who have a clustered version of WAC, this is how we did the same thing, but included both of our nodes:
[System.Collections.ArrayList]$nodes = @()
$nodes.Add((Get-ADComputer "WAC1"))
$nodes.Add((Get-ADComputer "WAC2"))
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $nodes