How To Enable Single Sign-On (SSO) For Windows Admin Center

3 Min. Read


Windows Admin Center (WAC) is a flexible, locally-deployed, browser-based management platform and solution. It contains core tools for troubleshooting, configuration, management, and maintenance for Windows Server, Windows Client, Software-Defined Storage (SDS), Software-Defined Network (SDN), Microsoft Hyper-V Server, and more.

When you start using Windows Admin Center where the gateway is installed on Windows Server, you will be prompted to sign-in with a user which has enough privilege, as well as for every node you need to connect and manage in your environment you need to specify a username and password. If Windows Admin Center is installed on Windows 10 (client machine), it’s ready to use Single Sign-On. However, for a production environment, it’s recommended to have Windows Admin Center installed in a highly available mode.

In this blog post, I will show you how to configure and enable Single Sign-On (SSO) for Windows Admin Center installed on Windows Server, so you can manage your environment with Passwordless.


The prerequisites are very simple as follows:

  1. Make sure you are running the latest release of Windows Admin Center (WAC).
  2. Make sure you have at least 1 domain controller running Windows Server 2012 or later in your environment.

Enable Single Sign-On WAC

To truly enable Single Sign-On on Windows Admin Center, you need to take the following 2 steps:

  1. First, we need to trust WAC by the supported browser (Google Chrome, Microsoft Edge, and Microsoft Edge based on Chromium).
    • You need to add the Windows Admin Center FQDN machine to the “Trusted Local Intranet Zone” under Internet Properties as shown in the screenshot below. You can also do it via Group Policy (GPO).  How To Enable Single Sign-On (SSO) For Windows Admin Center 1
    • Now when you launch the Windows Admin Center portal, you won’t be prompted to enter your credentials anymore.
  2. The next step is to add Kerberos Constrained Delegation on each node that you want to manage in Windows Admin Center. Since behind the scene WAC uses PowerShell, this step is known as the second hop in PowerShell Remoting. For more information about Kerberos delegation, I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop”.
    • To automate this step, I have created a PowerShell script that will help you to set the resource-based Kerberos constrained delegation in your domain. To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:
    # Add and import AD PowerShell
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory
    # Host name of Windows Admin Center
    $wac = "VMM"
    # Server names and Cluster names that you want to manage with Windows Admin Center in your domain
    $servers = "FSRV01", "FSRV02", "AFS-CORE", "HCI-CLUSTER1"
    # Get the identity object of WAC
    $wacobject = Get-ADComputer -Identity $WAC
    # Set the resource-based kerberos constrained delegation for each node
    foreach ($server in $servers)
    $serverObject = Get-ADComputer -Identity $server
    Set-ADComputer -Identity $serverObject -PrincipalsAllowedToDelegateToAccount $wacobject
    • Last but not least, you need to clear the Key Distribution Center (KDC) caches by running the following script, you could also restart the node, or wait at least 15 minutes to clear the cache. Because if you don’t clear the cache, you cannot use SSO immediately, clearing the KDC cache will just get you a new fresh Kerberos ticket immediately.
    # Clear KDC Cache
    Invoke-Command -ComputerName $Servers -ScriptBlock {
        klist purge -li 0x3e7
    • Please note that this step is essential, you must configure this for the node that WAC should manage, by setting the PrincipalsAllowedToDelegateToAccount property of the managed node to the WAC server’s computer account, makes the managed node accept Kerberos tickets that the WAC server has delegated. Hence – every new node (server) introduced to the domain will need to have this configured. Otherwise, WAC users will have to re-enter their passwords each and every time.

Now let’s see how Single Sign-On (SSO) works in Windows Admin Center in action!

For this demo, I have set up resource-based Kerberos constrained delegation on 3 servers (FSRV01, FSRV02, AFS-CORE), and skipped the DC01 server.

How To Enable Single Sign-On (SSO) For Windows Admin Center 2


Microsoft Windows Admin Center is the future of remote server management experience. This is a great step by Microsoft for the on-premises environment and for Azure to have a single pane of glass for managing your servers wherever they are. Windows Admin Center will help to manage and configure Server Core installations and drastically remove the need to login locally on every server.

In this article, I showed you how to enable Single Sign-On (SSO) for Windows Admin Center via resource-based Kerberos constrained delegation. The beauty of it that Windows Hello for Business works as well.

And that’s it. Enjoy managing your servers with Passwordless :)

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts


Renewed Microsoft MVP 2019-2020 – Adding The #Microsoft #Azure Expertise

Azure Security Center: How to Protect Your Datacenter with Next Generation Security


2 thoughts on “How To Enable Single Sign-On (SSO) For Windows Admin Center”

Leave a comment...

  1. Very helpful. Straight to the point. Great work and thanks for the help!

  2. Very helpfull. Thanks man

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!