Azure AD SSO with Horizon
With the release of VMware Horizon 2303, VMware Horizon now supports Hybrid Azure AD Join with Azure AD Connect using Instant Clones and non-persistent VDI.
So what exactly does this mean? It means you can now use Azure SSO using PRT (Primary Refresh Token) to authenticate and access on-premise and cloud based applications and resources.
What else? It allows you to use conditional access!
Historically, it was a bit challenging when it came to Understanding Microsoft Azure AD SSO with VDI (click to read the post and/or see the video), and special considerations had to be made when an organization wished to implement SSO between their on-prem non-persistent VDI deployment and Azure AD.
The old way to accomplish this was to either implement Azure AD with ADFS, or use Seamless SSO. ADFS was bulky and annoying to manage, and Seamless SSO was actually intended to enable SSO on “downlevel devices” (older operating systems before Windows 10).
For customers without ADFS, I would always recommend using Seamless SSO to enable SSO on non-persistent VDI Instant Clones, until now!
According to the release notes for VMware Horizon 2303:
Hybrid Azure Active Directory for SSO is now supported on instant clone desktop pools. See KB 89127 for details.
This means we can now enable and use Azure SSO with PRTs (Primary Refresh Tokens) using Azure AD Connect and non-persistent VDI Instant Clones.
This is actually a huge deal because not only does it allow us to use the preferred method for performing SSO with Azure, but it also allows us to start using fancy Azure features like conditional access!
In order to utilize Hybrid Join and PRTs with non-persistent VDI on Horizon, you’ll need the following:
When you configure this, you’ll notice that after provisioning a desktop pool (or pushing a new snapshot), that there may be a delay for PRTs to be issued. This is expected, however the PRT will be issued eventually, and subsequent desktops shouldn’t experience issues unless you have a limited number available.
*Please note: VMware still notes that ADFS is the preferred way for fast issuance of the PRT.
While VMware does recommend ADFS for performance when issuing PRTs, in my own testing I had no problems or complaints, however when deploying this in production I’d recommend that because of the PRT delay after deploying the pool or a new snapshot, to do this after hours or SSO will not function for some users who immediately get a new desktop.
Please note the following:
If you’re coming from an environment that was previously using Seamless SSO for non-persistent VDI, you can create new test desktop pools that use newly created Active Directory OU containers and adjust the OU filtering appropriately to include the test OUs for synchronization to Azure AD with Azure AD Connect. This way you’re only syncing the test desktop pool, while allowing Seamless SSO to continue to function for existing desktop pools.
To test the current status of Azure AD Hybrid Join, SSO, and PRT, you can use the following command:
dsregcmd /statusTo check if the OS is Hybrid Domain joined, you’ll see the following:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : DOMAIN
As you can see above, “AzureADJoined” is “YES”.
Further down the output, you’ll find information related to SSO and PRT Status:
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2023-07-23 19:46:19.000 UTC
AzureAdPrtExpiryTime : 2023-08-06 19:46:18.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXXXXX
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : XXXXXXXXXXXXXHere we can see that “AzureAdPrt” is YES which means we have a valid Primary Refresh Token issued by Azure AD SSO because of the Hybrid Join.
While most of us frequently deploy new ESXi hosts, a question and task not oftenly discussed is how to properly decommission a VMware ESXi host. Some might be surprised to… Read More
This guide will outline the instructions to Disable the VMware Horizon Session Bar. These instructions can be used to disable the Horizon Session Bar (also known as the Horizon Client… Read More
Normally, any VMs that are NVIDIA vGPU enabled have to be manually migrated with manual vMotion if a host is placed in to maintenance mode, to evacuate the host. While… Read More
You may experience GPU issues with the VMware Horizon Indirect Display Driver in your environment when using 3rd party applications which incorrectly utilize the incorrect display adapter. This results with… Read More
Today we're going to cover a powerful little NAS being used with VMware; the Synology DS923+ VMware vSphere Use case and Configuration. This little (but powerful) NAS is perfect for… Read More
Today we'll go over how to install the vSphere vCenter Root Certificate on your client system. Certificates are designed to verify the identity of the systems, software, and/or resources we… Read More
View Comments
Without ADFS does means we still need to wait for the AD Sync Cycle causing issues with instant clones right?
When enabling, provisioning, or updating the snapshot, I noticed there is now a slight delay for PRTs to start working properly, but once they do everything should be fine.
Hey Stephen,
I'm seeing on my instant clones that there is a scheduled task which runs on user logon to unjoin the computer and then rejoin it to Azure AD. Example:
Automatic device join pre-check tasks completed. Details:
preCheckResult: LeaveThenJoin
deviceKeysHealthy: NO (transport key)
isJoined: YES
isDcAvailable: YES
isSystem: YES
keyProvider: undefined
keyContainer: undefined
dsrInstance: AzureDrs
elapsedSeconds: 0
resultCode: 0x0
After it leaves, it does try the rejoin operation, but it fails because the device no longer exists in Azure AD until AD Connect does another sync operation. My question is, did you see this in your testing, and I'm considered removing the scheduled task to run at user log on but I'm unsure if this task does anything for the user or not. Thanks
Hi Nathan,
You shouldn't have to modify the scripts in any way. Once you create a VM image as per VMware's specs, and the configure Azure AD Connect, and configure the "Allow computer account re-use", it should be automatic.
Is there a chance there were modifications made to the default config? I didn't see this issue in my testing.
Note, once you push an image or create a desktop pool, it does take some time for Azure SSO with PRTs to function properly.
Nathan,
We had the same issue with the precheck result performing a leavethenjoin action. It was due to multiple improperly packaged applications with App volume manager.
In our case the applications were captured on a domain joined machine. My best guess is that the capture grabbed data related to the PRT being refreshed or issued.
Every time the application would load via AVM it hosed our Hybrid join and consequently the refresh token. Repackaging our apps on a workgroup vm was the permanent fix we came up with.
Hi there, is the PRT token present in non-persistent VDIs only? I don't see anything about persistan VDI catalogs. Thank you.
Hi Jose,
Persistent VDI (and normal workstations) should have a PRT for SSO if configured properly. PRTs are issued on any Hybrid domain joined Windows system if everything is configured properly and functioning.
Cheers,
Stephen
Hello
I don't understand how you make it work with Azure AD Connect sync.
When connecting to the instant clone, it doesn't work - at all - because the computer account is not yet synced => no Azure AD join, no PRT
So I figure out that instant clones computer accounts MUST be pre-existing and synced by AAD Connect for hybrid ad join and PRT to work properly : do you confirm ?
Hi Frederic,
Great question, I'll review the process below:
1) Deploy snapshot to Instant Clone Pool
2) Instant Clones are created (Re-Use Computer account selected)
3) Computer objects created on Local AD
4) Computer objects synced to Azure AD / Entra ID
5) Login to Instant Clone, Hybrid domain joined, functioning
Re-Use is selected, so once the computer objects are created, they will be re-used. If you don't re-use computer objects, then they will be destroyed and re-created, causing failures as it has to wait for Azure AD Connect to sync.
Cheers,
Stephen