In this post we’ll configure Seamless Single Sign-On for Internet Explorer.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured

Existing Devices:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (to be Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (to be Intune Managed)

Create a Group of users who can apply the Group Policy

Open Active Directory Users and Computers

Right click Users, select New and click Group.

Enter Group name and click OK. Here I have used SeamlessSSOUsers.

Open the Group properties created above. Go to Members and add the necessary users. Click OK when done.

Configure Seamless Single Sign-On (2 methods, use only one)

Method 1: Configure Seamless Single Sign-On using Group Policy (Admin locks down editing of Intranet zone settings. Users cannot modify their own settings)

On Domain Controller, Navigate to Windows Administrative Tools -> Group Policy Management.

Right click your domain and select Create a GPO in this domain, and Link it here….

Enter the name and click OK. I used SeamlessSSO GPO.

Right click on the above created GPO and click Edit….

Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Right click Site to Zone Assignment List and click Edit.

Select Enabled and click on Show….

Enter below and click OK.

Value Name: https://autologon.microsoftazuread-sso.com        Value: 1

Value Name: https://aadg.windows.net.nsatc.net                Value: 1

Click OK.

Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Intranet Zone.

Right click Allow updates to status bar via script and click Edit.

Select Enabled.

In the Status bar updates via script select Enable and click OK.

Close the window.

Select the above created GPO. In Security Filtering, click Add….

Add the above created group.

Navigate to Delegation tab and click on Advanced….

Click Authenticated Users and uncheck Apply group policy.

Click OK.

In client machine:

Update the Group Policy.

Start Internet Explorer.

Navigate to Settings -> Internet Options -> Security tab. Select Local Intranet and click Sites.

In the Local intranet window, click Advanced. You should see everything greyed out and the two websites in the Websites section.

Method 2: Configure Seamless Single Sign-On using Group Policy preference (Admin allows editing on Intranet zone settings. Users can modify their own settings.)

Start Group Policy Management.

Right click your domain and select Create a GPO in this domain, and Link it here….

Enter the name and click OK. I used SeamlessSSO GPO.

Right click on the above created GPO and click Edit….

In the Group Policy Management Editor. Navigate to User Configuration -> Preferences -> Windows Settings -> Registry.

Right click Registry, select New and click Registry Item.

Enter below and click OK.

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon

Value name: https.

Value type: REG_DWORD.

Value data: 00000001.

Right click Registry, select New and click Registry Item.

Enter below and click OK.

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nsatc.net\aadg.windows.net

Value name: https.

Value type: REG_DWORD.

Value data: 00000001.

Right click Registry, select New and click Registry Item.

Enter below and click OK.

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Value name: 2103

Value type: REG_DWORD

Value data: 00000000

Ref: https://support.microsoft.com/en-in/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users

Close the window.

Select the above created GPO. In Security Filtering, click Add….

Add the above created group.

Navigate to Delegation tab and click on Advanced….

Click Authenticated Users and uncheck Apply group policy.

Click OK.

In client machine:

Update the Group Policy.

Start Internet Explorer.

Navigate to Settings -> Internet Options -> Security tab. Select Local Intranet and click Sites.

In the Local intranet window, click Advanced. You should see nothing is greyed out and the two websites are there in the Websites section.

Testing:

Open InPrivate window of Internet Explorer

Navigate to https://myapps.microsoft.com

Enter your user id.

Note that it did not ask for password and opened the myapps page.

Open InPrivate window of Internet Explorer

Navigate to https://myapps.microsoft.com/domain.com

This time it did not even ask for user id and opens the myapps page directly.

Leave a comment

Your email address will not be published. Required fields are marked *