How To Enable Single Sign-On (SSO) For Windows Admin Center

3 Min. Read

Introduction

Windows Admin Center (WAC) is a flexible, locally deployed, browser-based management platform and solution. It contains core tools for troubleshooting, configuration, management, and maintenance for Windows Server, Windows Client, Software-Defined Storage (SDS), Software-Defined Network (SDN), Microsoft Hyper-V Server, and more.

When you start using Windows Admin Center where the gateway is installed on Windows Server, you will be prompted to sign in with a user who has enough privilege, as well as for every node you need to connect and manage in your environment you need to specify a username and password. If Windows Admin Center is installed on Windows 10 (client machine), it’s ready to use Single Sign-On. However, for a production environment, it’s recommended to have Windows Admin Center installed in a highly available mode.

In this blog post, I will show you how to configure and enable Single Sign-On (SSO) for Windows Admin Center installed on Windows Server, so you can manage your environment with Passwordless.

Prerequisites

The prerequisites are very simple as follows:

  1. Make sure you are running the latest release of Windows Admin Center (WAC).
  2. Make sure you have at least 1 domain controller running Windows Server 2012 or later in your environment.

Enable Single Sign-On WAC

To truly enable Single Sign-On on Windows Admin Center, you need to take the following 2 steps:

  1. First, we need to trust WAC by the supported browser (Google Chrome, Microsoft Edge, and Microsoft Edge based on Chromium).
    • You need to add the Windows Admin Center FQDN machine to the “Trusted Local Intranet Zone” under Internet Properties as shown in the screenshot below. You can also do it via Group Policy (GPO).  How To Enable Single Sign-On (SSO) For Windows Admin Center 2
    • Now when you launch the Windows Admin Center portal, you won’t be prompted to enter your credentials anymore.
  2. The next step is to add Kerberos Constrained Delegation on each node that you want to manage in Windows Admin Center. Since behind the scene WAC uses PowerShell, this step is known as the second hop in PowerShell Remoting. For more information about the Kerberos delegation, I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop”.
    • To automate this step, I have created a PowerShell script that will help you to set the resource-based Kerberos constrained delegation in your domain. To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:
    # Add and import AD PowerShell
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory
    
    # Host name of Windows Admin Center
    $wac = "VMM"
    
    # Server names and Cluster names that you want to manage with Windows Admin Center in your domain
    # $servers = "FSRV01", "FSRV02", "AFS-CORE", "HCI-CLUSTER1"
    
    # Instead of adding manually the list of servers above
    # You can specify the path of a .csv file to import a large number of servers/clusters
    # If you want to provide a CSV file, please make sure to add a header to the column of computer names called 'NETBIOS_NAME'
    $servers = Read-Host "`nSpecify the full path to a CSV file (include spaces, but no quotes)" -ErrorAction Stop 
    
    Try {
        $CSVData = @(Import-CSV -Path $servers -ErrorAction Stop)
        Write-Verbose "Successfully imported entries from $servers"
        Write-Verbose "Total no. of servers in CSV are : $($CSVData.count)"
    } 
    Catch {
        Write-Verbose "Failed to read from the CSV file $servers Exiting!"
        Break
    }
    
    # Get the identity object of Windows Admin Center (WAC)
    $wacobject = Get-ADComputer -Identity $WAC
    
    # Set the resource-based kerberos constrained delegation for each node
    foreach ($server in $CSVData)
    {
    $server = $server.NETBIOS_NAME
    $serverObject = Get-ADComputer -Identity $server
    Set-ADComputer -Identity $serverObject -PrincipalsAllowedToDelegateToAccount $wacobject -verbose
    }
    
    • Last but not least, you need to clear the Key Distribution Center (KDC) caches by running the following script, you could also restart the node, or wait at least 15 minutes to clear the cache. Because if you don’t clear the cache, you cannot use SSO immediately, clearing the KDC cache will just get you a new fresh Kerberos ticket immediately.
    # Clear KDC Cache
    Invoke-Command -ComputerName $Servers -ScriptBlock {
        klist purge -li 0x3e7
    }
    
    • Please note that this step is essential, you must configure this for the node that WAC should manage, by setting the PrincipalsAllowedToDelegateToAccount property of the managed node to the WAC server’s computer account, makes the managed node accept Kerberos tickets that the WAC server has delegated. Hence – every new node (server) introduced to the domain will need to have this configured. Otherwise, WAC users will have to re-enter their passwords each and every time.

Now let’s see how Single Sign-On (SSO) works in Windows Admin Center in action!

For this demo, I have set up resource-based Kerberos constrained delegation on 3 servers (FSRV01, FSRV02, AFS-CORE), and skipped the DC01 server.

How To Enable Single Sign-On (SSO) For Windows Admin Center 3

Summary

Microsoft Windows Admin Center is the future of remote server management experience. This is a great step by Microsoft for the on-premises environment and for Azure to have a single pane of glass for managing your servers wherever they are. Windows Admin Center will help to manage and configure Server Core installations and drastically remove the need to login locally on every server.

In this article, I showed you how to enable Single Sign-On (SSO) for Windows Admin Center via resource-based Kerberos constrained delegation. The beauty of it is that Windows Hello for Business works as well.

And that’s it. Enjoy managing your servers with Passwordless :)

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Renewed Microsoft MVP 2019-2020 – Adding The #Microsoft #Azure Expertise

Azure Security Center: How to Protect Your Datacenter with Next Generation Security

Next

4 thoughts on “How To Enable Single Sign-On (SSO) For Windows Admin Center”

Leave a comment...

  1. Very helpful. Straight to the point. Great work and thanks for the help!

  2. Very helpfull. Thanks man

  3. How could you re-write this to use a CSV file or a Get-ADComputer query?

  4. Hello James, thanks for the feedback.
    Please note that I have updated the script to import a large number of servers using a CSV file instead.
    Give it a try and let me know if it works for you.
    Thank You!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!