You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/configure-single-sign-on.md
+17-18Lines changed: 17 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ manager: femila
7
7
8
8
ms.service: virtual-desktop
9
9
ms.topic: how-to
10
-
ms.date: 09/22/2022
10
+
ms.date: 12/06/2022
11
11
ms.author: helohr
12
12
---
13
13
# Configure single sign-on for Azure Virtual Desktop using Azure AD Authentication
@@ -19,7 +19,7 @@ ms.author: helohr
19
19
20
20
This article will walk you through the process of configuring single sign-on (SSO) using Azure Active Directory (Azure AD) authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Azure AD to sign in to your Azure Virtual Desktop and Remote Applications.
21
21
22
-
For additional passwordless functionality within the session, see the **Next Steps** section for configuring in-session passwordless authentication below.
22
+
For additional passwordless functionality within the session, see the [**Next Steps**](#next-steps) section for configuring in-session passwordless authentication below.
23
23
24
24
> [!NOTE]
25
25
> Azure Virtual Desktop (classic) doesn't support this feature.
@@ -28,31 +28,29 @@ For additional passwordless functionality within the session, see the **Next Ste
28
28
29
29
Single sign-on is available on session hosts using the following operating systems:
30
30
31
-
- Windows 11 Enterprise single or multi-session with the [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.
32
-
- Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.
33
-
- Windows Server 2022 with the [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.
31
+
- Windows 11 Enterprise single or multi-session with the [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.
32
+
- Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.
33
+
- Windows Server 2022 with the [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.
34
+
35
+
Session hosts must be Azure AD-joined or [Hybrid Azure AD-Joined](https://learn.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
34
36
35
-
Session Hosts must be Azure AD or Hybrid Joined:
36
-
- You can enable SSO for connections to Azure Active Directory (AD)-joined VMs. If session hosts need access to SMB shares for FSLogix profiles, you will also need to enable [Kerberos for Azure AD.](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md)
37
-
- You can also use SSO to access Hybrid Azure AD-joined VMs, but only after [creating a Kerberos Server object within your Active Directory.](../active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md#create-a-kerberos-server-object)
38
37
> [!NOTE]
39
-
> Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services.
38
+
> Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services or Active Directory only joined session hosts.
40
39
41
-
Connections currently supported:
42
-
-[Windows Desktop client](users/connect-windows.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD.
43
-
-[Web client](users/connect-web.md).
40
+
You must [Create a Kerberos Server object](../active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md#create-a-kerberos-server-object) when your session host is:
44
41
45
-
> [!IMPORTANT]
46
-
> SSO is currently only supported in the Azure Public cloud.
42
+
- Hybrid Azure AD-joined. Azure AD Kerberos is needed to complete the authentication to the domain controller.
43
+
- Azure AD-joined and your environment contains Active Directory Domain Controllers. Azure AD Kerberos is required in this case for users to access on-premises resources, like SMB shares, and Windows-integrated authentication to websites.
44
+
45
+
Clients currently supported:
47
46
48
-
## Enable single sign-on
47
+
-[Windows Desktop client](users/connect-windows.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD.
48
+
-[Web client](users/connect-web.md).
49
49
50
-
If your host pool contains Hybrid Azure AD-joined session hosts, you must first enable Azure AD Kerberos in your environment by creating a Kerberos Server object. Azure AD Kerberos enables the authentication needed with the domain controller. We recommended you also enable Azure AD Kerberos for Azure AD-joined session hosts if you have a Domain Controller (DC). Azure AD Kerberos provides a single sign-on experience when accessing legacy Kerberos-based applications or network shares. To enable Azure AD Kerberos in your environment, follow the steps to [Create a Kerberos Server object](../active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md#create-a-kerberos-server-object) on your DC.
50
+
## Enable single sign-on
51
51
52
52
To enable SSO on your host pool, you must [customize an RDP property](customize-rdp-properties.md). You can find the **Azure AD Authentication** property under the **Connection information** tab in the Azure portal or set the **enablerdsaadauth** property to **1** using PowerShell.
53
53
54
-
For additional reference: [Deep dive: How Azure AD Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889)
55
-
56
54
> [!IMPORTANT]
57
55
> If you enable SSO on your Hybrid Azure AD-joined VMs before you create the Kerberos server object, you won't be able to connect to the VMs, and you'll see an error message saying the specific log on session doesn't exist.
58
56
@@ -63,6 +61,7 @@ When enabling single sign-on, you'll currently be prompted to authenticate to Az
63
61
## Next steps
64
62
65
63
- Check out [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview) to learn how to enable passwordless authentication.
64
+
- For more information about Azure AD Kerberos, see [Deep dive: How Azure AD Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889)
66
65
- If you're accessing Azure Virtual Desktop from our Windows Desktop client, see [Connect with the Windows Desktop client](./users/connect-windows.md).
67
66
- If you're accessing Azure Virtual Desktop from our web client, see [Connect with the web client](./users/connect-web.md).
68
67
- If you encounter any issues, go to [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).
0 commit comments