Regarding the phenomenon to sSSO(seamless SSO) can't be performed

大西隆太 0

Hi, I'm Japanease.

using translate to create questions.

Azure AD Connect (Entra Connect) is used to link on-prem AD and Azure AD, and seamless SSO is enabled in that environment.

The computer to joined in the local domain can access for office365 (www.office.com) without password.

But, The Office Clients such as Word and Excel required passwords for login.

Check here, it appears that sSSO is also available for the Office Clients.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works

Do you know what to do? help me :(

1 answer

Raja Pothuraju 1,605 Reputation points Microsoft Vendor

2024-07-12T16:39:05.71+00:00

Hello @大西隆太,

Thank you for posting your query on Microsoft Q&A.

I understand you're experiencing an issue where Seamless SSO works in web browsers (Office 365 at www.office.com) without requiring a password on domain-joined devices, but Office clients like Word and Excel prompt for passwords.

Is this behavior occurring on a specific device or on all domain-joined devices?

Please ensure that the Microsoft Entra URL (https://autologon.microsoftazuread-sso.com) is added to the user's Intranet zone settings.

Ensure the device has a direct connection to your domain controller, either through corporate wired or wireless networks, or via a remote access connection like VPN.

To diagnose further, list the existing Kerberos tickets on the device using the klist command from a command prompt. Verify that tickets issued for the AZUREADSSOACC computer account are present. Normally, users' Kerberos tickets are valid for 10 hours, but your Active Directory settings may differ.

If there are issues with Kerberos tickets after running klist, you can resolve them by running klist purge and attempting the login again from the device.

Please refer to the following documents and verify all prerequisites mentioned:

Troubleshoot Microsoft Entra Connect SSO

Microsoft Entra Connect SSO Quick Start

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.
Please sign in to rate this answer.
Raja Pothuraju 1,605 Reputation points Microsoft Vendor

2024-07-15T10:57:20.33+00:00

Hello @大西隆太,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

大西隆太 0 Reputation points

2024-07-16T08:39:02.4566667+00:00

Thank you for response!!

Is this behavior occurring on a specific device or on all domain-joined devices?

This behavior is occurring on all domain-joined device .

Please ensure that the Microsoft Entra URL (https://autologon.microsoftazuread-sso.com) is added to the user's Intranet zone settings.

That setup is complete.

Ensure the device has a direct connection to your domain controller, either through corporate wired or wireless networks, or via a remote access connection like VPN.

No ploblem.

To diagnose further, list the existing Kerberos tickets on the device using the klist command from a command prompt. Verify that tickets issued for the AZUREADSSOACC computer account are present. Normally, users' Kerberos tickets are valid for 10 hours, but your Active Directory settings may differ.

Kerberos tikets have been issued when access to web browsers (Office 365 at www.office.com) .

But it have never been issued when access to office clients.

Raja Pothuraju 1,605 Reputation points Microsoft Vendor

2024-07-17T19:57:59.7533333+00:00

Hello @大西隆太,

Thank you for your response.

As you mentioned Kerberos ticket is not issued when access to office clients. Define the Kerberos end-points in the cloud as part of the Intranet zone.

The Domain Administrator must set two Group Policy Objects (GPO):

For the eligibility check to work, the "Allow updates to status bar via script" policy setting under "User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone" must be Enabled.

Placing the URLs below into the Intranet Zone causes authentication requests sent to https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net to be sent as Kerberos requests. This in turn triggers the Kerberos ticket request process.

It is recommended these be enabled on the "Default Domain Policy":

Value: https://autologon.microsoftazuread-sso.com Data: 1 Value: https://aadg.windows.net.nsatc.net Data: 1

Note: (the Data value of 1 indicates these are to be placed in the Intranet zone)

Verify the KDC can Issue a ticket for AZUREADSSOACC

If the user is not seeing a klist ticket for Server: HTTP/aadg.windows.net.nsatc.net, they can manually verify that the KDC is able to issue a Kerberos ticket for Seamless Single-Sign-On by running either of these commands.

klist get HTTP/autologon.microsoftazuread-sso.com -OR- klist get AZUREADSSOACC

If you do not see the command return any result, it is possible that the AZUREDSSOACC computer account is not added to the domain. Please flow the step here: SeamlessSso troubleshoot under section "Manual reset of the feature".

If you already have SeamlessSso enabled, you can skip step 3 and step 5.Please check the above steps and let us know if that didn't help.

Thanks,
Raja Pothuraju.

Raja Pothuraju 1,605 Reputation points Microsoft Vendor

2024-07-22T17:59:07.6733333+00:00

Hello @大西隆太,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Sign in to comment

Share via

Regarding the phenomenon to sSSO(seamless SSO) can't be performed

1 answer