Enabling SSO for Enterprise App(local Active Directory domain)

Question

I'm setting up Windows Admin Center, and I enabled Entra authentication, so that our IT team can authenticate securely to it.

When trying to log on, I get this error

AADSTS500031: Cannot find signing certificate configured.

From my google searches, everything points to going to SSO in the enterprise app, clicking on SAML and adding the info there. But unlike everyone in the links where that worked, I get this:

Then the Learn more link sends me here:

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/v2-howto-app-gallery-listing#listing-requests-by-customers

I'm just trying to set this up for our IT team to log in to WAC to administer servers. Is this process the only way to make this work? I have to create documentation, and send an app to be published? But that app is my local domain..That can't be right. Is there any way to make this simpler? Also, I'm just trying to find any youtube video or link on how to set up entra authentication with WAC, and I can't. Does anyone know if such a video exists?

Answer 1

Hi @Jonathan Posey

Thank you for posting this in Microsoft Q&A.

I understand that you are enabling SSO for Enterprise Apps in Windows Admin Center using Local Active Directory Domain.

You receive error AADSTS50003 when trying to sign into an application that has been setup to use Microsoft Entra ID for identity management using SAML-based SSO. This error caused by the application object is corrupted, and Microsoft Entra ID doesn't recognize the certificate configured for the application.

To fix the issue delete and create a new certificate, follow the steps below:

1. On the SAML-based SSO configuration screen, select Create new certificate under the SAML signing Certificate section.
2. Select Expiration date and then click Save.
3. Check Make new certificate active to override the active certificate. Then, click Save at the top of the pane and accept to activate the rollover certificate.
4. Under the SAML Signing Certificate section, click remove to remove the Unused certificate.

I'm just trying to set this up for our IT team to log in to WAC to administer servers. Is this process the only way to make this work? I have to create documentation, and send an app to be published? But that app is my local domain. That can't be right.

No, there is no need to create any documentation or send an application to be published.

Windows Admin Center defines two roles for access to the gateway service: gateway users and gateway administrators.

1.Gateway users can connect to the Windows Admin Center gateway service in order to manage servers through that gateway, but they cannot change access permissions, nor the authentication mechanism used to authenticate to the gateway.

2.Gateway administrators can configure who gets access as well as how users will authenticate to the gateway.

Gateway administrators can choose either of the following:

• Active Directory/local machine groups
• Microsoft Entra ID as the identity provider for Windows Admin Center

For your reference: User access options with Windows Admin Center

how to set up entra authentication with WAC

To configure Microsoft Entra authentication for Windows Admin Center. please follow the steps which mentioned in this document: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control#configuring-microsoft-entra-authentication-for-windows-admin-center

If you want to use Active Directory/local machine groups: Enabling SSO for Enterprise App (Local Active Directory Domain) with Windows Admin Center

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.