How To Enable Single Sign-On (SSO) For Windows Admin Center

4 min read

Introduction

Windows Admin Center (WAC) is a flexible, locally-deployed, browser-based management platform and solution. It contains core tools for troubleshooting, configuration, management and maintenance for Windows Server, Windows Client, Software-Defined Storage (SDS), Software-Defined Network (SDN), Microsoft Hyper-V Server, and more.

When you start using Windows Admin Center where the gateway is installed on Windows Server, you will be prompted to sign-in with a user which has enough privilege, as well as for every node you need to connect and manage in your environment you need to specify a username and password. If Windows Admin Center is installed on Windows 10 (client machine), it’s ready to use Single Sign-On. However, for a production environment, it’s recommended to have Windows Admin Center installed in a highly available mode.

In this blog post, I will show you how to configure and enable Single Sign-On (SSO) for Windows Admin Center installed on Windows Server, so you can manage your environment with Passwordless.

Prerequisites

The prerequisites are very simple as follows:

  1. Make sure you are running the latest release of Windows Admin Center (WAC).
  2. Make sure you have at least 1 domain controller running Windows Server 2012 or later in your environment.

Enable Single Sign-On WAC

To truly enable Single Sign-On on Windows Admin Center, you want take the following 2 steps:

  1. First, we need to trust WAC by the supported browser (Google Chrome, Microsoft Edge, and Microsoft Edge based on Chromium).
    • You need to add the Windows Admin Center FQDN machine to the “Trusted Local Intranet Zone” under Internet Properties as shown in the screenshot below. You can also do it via Group Policy (GPO). 
    • Now when you launch Windows Admin Center portal, you won’t be prompted to enter your credentials anymore.
  2. The next step is to add Kerberos Constrained Delegation on each node that you want to manage in Windows Admin Center. Since behind the scene WAC uses PowerShell, this step is known as the second hop in PowerShell Remoting. For more information about Kerberos delegation, I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop”.
    • To automate this step, I have created a PowerShell script that will help you to set the resource-based Kerberos constrained delegation in your domain. To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:
    # Add and import AD PowerShell
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory
    
    # Host name of Windows Admin Center
    $wac = "VMM"
    
    # Server names that you want to manage with Windows Admin Center in your domain
    $servers = "FSRV01", "FSRV02", "AFS-CORE"
    
    # Get the identity object of WAC
    $wacobject = Get-ADComputer -Identity $WAC
    
    # Set the resource-based kerberos constrained delegation for each node
    foreach ($server in $servers)
    {
    $serverObject = Get-ADComputer -Identity $server
    Set-ADComputer -Identity $serverObject -PrincipalsAllowedToDelegateToAccount $wacobject
    }
    
    • Last but not least, you need to clear the Key Distribution Center (KDC) caches by running the following script, you could also restart the node, or wait at least 15 minutes to clear the cache. Because if you don’t clear the cache, you cannot use SSO immediately, clearing KDC cache will just get you a new fresh Kerberos ticket immediately.
    # Clear KDC Cache
    Invoke-Command -ComputerName $Servers -ScriptBlock {
        klist purge -li 0x3e7
    }
    
    • Please note that this step is very important, you must configure this for the node that should be managed by WAC, by setting the PrincipalsAllowedToDelegateToAccount property of the managed node to the WAC server’s computer account, makes the managed node accept Kerberos tickets that have been delegated by the WAC server. Hence – every new node (server) introduced to the domain will need to have this configured. Otherwise, WAC users will have to re-enter their password each and every time.

Now let’s see how Single Sign-On (SSO) works in Windows Admin Center in action!

For this demo, I have set up resource-based Kerberos constrained delegation on 3 servers (FSRV01, FSRV02, AFS-CORE), and skipped DC01 server.

Summary

Microsoft Windows Admin Center is the future of remote server management experience. This is a great step by Microsoft for the on-premises environment and for Azure to have a single pane of glass for managing your servers wherever they are. Windows Admin Center will help to manage and configure Server Core installations and drastically remove the need to login locally on every server.

In this article, I showed you how to enable Single Sign-On (SSO) for Windows Admin Center via resource-based Kerberos constrained delegation. The beauty of it that Windows Hello for Business works as well.

And that’s it. Enjoy managing your servers with Passwordless 🙂

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Advertisements
About Charbel Nemnom 475 Articles
Charbel Nemnom is a Cloud Architect and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.