How to Enable Single Sign-On (SSO) For Windows Admin Center

4 Min. Read

In this article, we will show you how to configure and enable Single Sign-On (SSO) for Windows Admin Center installed on Windows Server, so you can manage your environment with Passwordless.

Introduction

Windows Admin Center (WAC) is a flexible, locally deployed, browser-based management platform and solution. It contains core tools for troubleshooting, configuration, management, and maintenance for Windows Server, Windows Client, Software-Defined Storage (SDS), Software-Defined Network (SDN), Microsoft Hyper-V Server, and more.

Windows Admin Center is not only for managing servers, clusters, hyper-converged infrastructure, and Windows 10/11 clients, but it also lets you connect your Windows Server to Azure hybrid services whether they are running on-premises or in a different cloud provider. There are many more hybrid services for Windows Server, which you can leverage with Windows Admin Center.

When you start using Windows Admin Center where the gateway is installed on Windows Server, you will be prompted to sign in with a user who has enough privilege, as well as for every node you need to connect and manage in your environment you need to specify a username and password. If Windows Admin Center is installed on Windows 10 (client machine), it’s ready to use Single Sign-On. However, for a production environment, it’s recommended to have Windows Admin Center installed in a highly available mode.

Prerequisites

The prerequisites are very simple as follows:

1) Make sure you are running the latest release of Windows Admin Center (WAC).

2) Make sure you have at least 1 domain controller running Windows Server 2012 or later in your environment.

Enable Single Sign-On in Windows Admin Center

To truly enable Single Sign-On on Windows Admin Center, you need to take the following 2 steps:

1) First, we need to trust WAC by the supported browser (Google Chrome, Microsoft Edge, and Microsoft Edge based on Chromium).

  • You need to add the Windows Admin Center FQDN machine to the “Trusted Local Intranet Zone” under Internet Properties as shown in the screenshot below. You can also do it via Group Policy (GPO).
Trusted Local Intranet Zone
Trusted Local Intranet Zone
  • Now when you launch the Windows Admin Center portal, you won’t be prompted to enter your credentials anymore.

2) The next step is to add Kerberos Constrained Delegation on each node that you want to manage in Windows Admin Center. Since behind the scene WAC uses PowerShell, this step is known as the second hop in PowerShell Remoting. For more information about the Kerberos delegation, we would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop”.

  • To automate this step, I have created a PowerShell script that will help you to set the resource-based Kerberos constrained delegation in your domain. To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:
# Add and import AD PowerShell
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory

# Host name of Windows Admin Center
$wac = "VMM"

# Server names and Cluster names that you want to manage with Windows Admin Center in your domain
# $servers = "FSRV01", "FSRV02", "AFS-CORE", "HCI-CLUSTER1"

# Instead of adding manually the list of servers above
# You can specify the path of a .csv file to import a large number of servers/clusters
# If you want to provide a CSV file, please make sure to add a header to the column of computer names called 'NETBIOS_NAME'
$servers = Read-Host "`nSpecify the full path to a CSV file (include spaces, but no quotes)" -ErrorAction Stop

Try {
    $CSVData = @(Import-CSV -Path $servers -ErrorAction Stop)
    Write-Verbose "Successfully imported entries from $servers"
    Write-Verbose "Total no. of servers in CSV are : $($CSVData.count)"
} 
Catch {
    Write-Verbose "Failed to read from the CSV file $servers Exiting!"
    Break
}

# Get the identity object of Windows Admin Center (WAC)
$wacobject = Get-ADComputer -Identity $WAC

# Set the resource-based kerberos constrained delegation for each node
foreach ($server in $CSVData)
{
$server = $server.NETBIOS_NAME
$serverObject = Get-ADComputer -Identity $server
Set-ADComputer -Identity $serverObject -PrincipalsAllowedToDelegateToAccount $wacobject -verbose
}
  • Last but not least, you need to clear the Key Distribution Center (KDC) caches by running the following script, you could also restart the node, or wait at least 15 minutes to clear the cache. Because if you don’t clear the cache, you cannot use SSO immediately, clearing the KDC cache will just get you a new fresh Kerberos ticket immediately.
# Clear KDC Cache
Invoke-Command -ComputerName $Servers -ScriptBlock {
    klist purge -li 0x3e7
}
  • Please note that this step is essential, you must configure this for the node that WAC should manage, by setting the PrincipalsAllowedToDelegateToAccount property of the managed node to the WAC server’s computer account, making the managed node accept Kerberos tickets that the WAC server has delegated. Hence – every new node (server) introduced to the domain will need to have this configured. Otherwise, WAC users will have to re-enter their passwords each and every time.

Adding Kerberos constrained delegation manually

If you don’t want to use PowerShell to add Kerberos Constrained Delegation on each server that you want to manage in Windows Admin Center, then take the following steps:

Open Active Directory Users and Computers console and locate the server that you want to manage with Windows Admin Center, open the properties of the server, under the Delegation tab in the account properties for each server, you need to select > Trust this computer for delegation to specified services only > Use Kerberos only.

Click Add… and then select Users or Computers… search for the computer account of Windows Admin Center server, and then select/add WSMAN service as shown in the figure below.

Trust this computer for delegation to specified services only
Trust this computer for delegation to specified services only

Please note that you need to repeat the same steps described above for each server that you want to manage in Windows Admin Center.

Verify Single Sign-On in Windows Admin Center

Now let’s see how Single Sign-On (SSO) works in Windows Admin Center in action!

For this demo, I have set up resource-based Kerberos constrained delegation on 3 servers (FSRV01, FSRV02, AFS-CORE), and skipped the DC01 server.

How to Enable Single Sign-On (SSO) For Windows Admin Center 1

Summary

Microsoft Windows Admin Center is the future of remote server management experience. This is a great step by Microsoft for the on-premises environment and for Azure to have a single pane of glass for managing your servers wherever they are. Windows Admin Center will help to manage and configure Server Core installations and drastically remove the need to login locally on every server.

In this article, I showed you how to enable Single Sign-On (SSO) for Windows Admin Center via resource-based Kerberos constrained delegation. The beauty of it is that Windows Hello for Business works as well.

And that’s it. Enjoy managing your servers with Passwordless :)

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Renewed Microsoft MVP 2019-2020 – Adding The #Microsoft #Azure Expertise

Azure Security Center: How to Protect Your Datacenter with Next Generation Security

Next

11 thoughts on “How to Enable Single Sign-On (SSO) For Windows Admin Center”

Leave a comment...

  1. Hello James, thanks for the feedback.
    Please note that I have updated the script to import a large number of servers using a CSV file instead.
    Give it a try and let me know if it works for you.
    Thank You!

  2. Does it need to be NETBIOS’s name? What if you have disabled NTLM and NETBIOS over TCP/IP on the domain and don’t have NETBIOS available?

  3. Hello Matt, thanks for the comment.
    The Single Sign-On (SSO) will work even if you have disabled NTLM and NETBIOS over TCP/IP on your domain.
    As noted in the article in Step 2, we are using Kerberos and not NTLM. And in Step 3, we are clearing the Key Distribution Center (KDC) cache database used by Kerberos.
    As long as you have DNS working fine in your environment, you should be ready to go.
    Looking forward to your confirmation after you test it in your domain.
    Hope this helps!

  4. Hi.
    Thanks for this Post and the script.
    In the script is a little error: use import-csv instead read-host, then it works.
    Regards
    Martin

  5. I don’t want to use your PowerShell script and you don’t provide an alternate solution to add the services manually. Which service do I need to add from each server in the delegation for WAC to work with Kerberos? WSMAN?

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!