I've been trying to set up Entra SSO on our Azure Virtual Desktop (AVD) host pool, but it's not functioning as it should. Even though we've followed Microsoft's guidelines and believe we've met all requirements, we're still being asked to enter login credentials. Here's a summary of our setup:
- **Host pool:** AVD
- **Profiles:** FSLogix with VHD profiles (which are working fine)
- **Directory:** Active Directory Domain Services (ADDS)
- **Kerberos:** Not set up, as we thought ADDS would handle authentication
- **Entra Hybrid Joined**
I read that setting up a Kerberos server isn't necessary since we're using ADDS, but I'm still having trouble getting SSO to work. Has anyone else experienced this issue or can anyone suggest additional steps needed for ADDS-based AVD environments when enabling Entra SSO? Also, are there any logs or troubleshooting methods I should explore?
3 Answers
Check out this link for enabling hybrid identities: [Enable Azure Files identity-based authentication](https://docs.azure.cn/en-us/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune). By the way, how is FSLogix hosted? Is it in a blob or another storage solution?
It sounds like you need to enable AAD Kerberos on your AVD host machines. We managed to get it running by pushing the policy through Intune. Just a heads up: this could potentially disrupt your FSLogix containers if they are AD joined, so you may want to add realm mapping to them. Alternatively, you could also create a new FSLogix share and join it with Kerberos. Before making these changes, I’d suggest testing it out in a smaller copy of your environment first to see what happens.
Could you share what specific policy you push for this? Is it possible to apply it using GPO?
We utilize Nerdio for setups as they have a straightforward Entra-only configuration. As I understand it, the storage account with the FSLogix profiles needs Entra Kerberos enabled, and you’ll need registry and configuration settings for FSLogix to use both Entra Kerberos and the Azure file share location. During onboarding with Nerdio, they apply scripts to the FSLogix storage account and session host deployments to make this all work. Remember, AD DS isn't relevant here; it's about the hybrid setup.
The FSLogix file share is under a storage account with blobs and set up to use ADDS. Should I remove the existing FSLogix share or can we switch this to use Entra Kerberos?