Setup Windows Admin Center Modern Gateway for Single Sign-On

Posted on Christian By Christian No Comments on Setup Windows Admin Center Modern Gateway for Single Sign-On
How To Enable Single Sign-On (SSO) For Windows Admin Center

Windows Admin Center is a browser-based app that the customer self-deploys and uses to manage servers, clusters, hyperconverged infrastructure, and Windows 10 PCs . Recently, we discussed how to upgrade Windows Admin Center 2306 – 2311 and also touched on how to install WACmg 2410. But in this guide, we shall discuss how to setup Windows Admin Center Modern Gateway for Single Sign-On (v2411).

Note: It does not incur any additional costs beyond Windows and can be used immediately in the production environment. Learn more about Windows Admin Center. Also, Microsoft recommends not installing Windows Admin Center for local management of the same server. To manage a server, use Windows Admin Center to connect to the server remotely from a management PC or other server.

Windows Admin Center provides a simple, modern management interface with integrated and hybrid-ready tools, designed for extensibility to streamline both on-premises and cloud-based administration

The image below describes the different installation options for Windows Admin Center, including installing on a Windows PC or a Windows server for use by multiple admins. Below is an image showing the various installation types.

Windows Admin Center installation types

Also, see how to determine What is taking up by Synology NAS Volume Space, how to Download and update Synology DiskStation NAS to DSM 7.3, and how to Patch Veeam Backup and replication 12.3.2.3617 to 12.3.2.4165.

Download Windows Admin Center

You can download Windows Admin Center from this link. Windows Admin Center is a remote management tool for Windows Server running anywhere physical, virtual, on-premises, in Azure, or in a hosted environment at no extra cost.

Note: Installing Windows Admin Center on a Domain controller is not supported

Download WAC

Upon download, double click on the setup file as shown below.

Install Admin Center

Accept the UAC as shown below. Please, see how to Disable UAC with Group Policy and enable PIN in Windows Hello, and how to enable or disable User Account Control.

Accept UAC

On the welcome page, click on Next.

welcome wizard

Click on Accept and click Next.

Accept licenses

Importing Certifcate and registering components

Please, see how to Configure Active Directory-Based Activation (ADBA) for Windows, and how to set up and configure the Key Management System (KMS).

custom setup

Below are the two installation modes available. In this blogpost, I will show you the two. Since I have discussed custom setup previously, I will not complete it here but will discussed the Express setup. Please, follow along.

To proceed, select the custom setup if you wish to provide your own customisation such as ports and FQDN etc.

custom Installation mode

Select Remote Access

Remote Access

I am interested in Windows Authentication (NTLM or Kerberos) and click Next.

Windows Authentication

Am I using default port and click Next

Port

If you have a preinstalled certificate certiicate, use it. Else use generate a self-signed certificate and next

TLS certificate

Since I have installed Windows Admin Center via the custom setup. I will revert to Express setup

Please, see Add additional CC400W Cameras to Synology Surveillance Station, how to Update Veeam Backup for Proxmox Plugin to support PVE 9.0.

Express Setup

This time, I will be selecting Express setup and click next

Express Installation mode

I do not have a preinstalled certificate this time, I will select self-signed certificate.

Selfsigned certificate

Select to install updates automatically.

install updates

I am fined with the first option for required diagnostic data

require diagnostic data

On a ready to install, click on install.

ready to install

Preparing to install.

preparing install

Installation is in progress

installing WAC

Installation is complete. Click on Finish

Finish Setup

Please, see How to update Proxmox VE 9.0 now Supported by Veeam, and how to fix Logon Failure: User has not been granted the requested logon type.

Launch Windows Admin Center

Since we are using a self-signed certificate, we will get a certificate warning. Click on Advanced to accept the conenction.

Access WAC

Click on continue to proceed.

Aceept certificate

Now, enter your your username and password in a SAM Format or UPN as shown below.

Sign into WAC

We are right in and can now start adding servers to manage.

WAC UI

Add Servers

To add servers, click on Add and on the Add or create resources. Under server, click on Add.

Add server

On the Add On, enter the IP, server name or FQDN of the server. Alternatively, search on AD.

ENTER SERVER NAME

Use Another Credential for this Connection

Since we do not have SSO, we have to enter an alternative credential for connection to the server. Since I do not have DNS configured correctly at the moment to resolve my server name, I will be adding the server with my IP.

specifiy credential
add servers

IP Address entered

discovered server

Server found, click on Add.

add found server

We have successfully connected using the alternative credential.

connecting to server

Connection successful and below is the server overwiew.

overview of server

Please, see Server Certificate could not be updated: Private key does not match, and how to Fix Error 0x87E10BC6 on a PC running Windows non-core Edition.

Configure SSO – Enable Constrained Delegation

Note: By default, Active Directory or local machine groups are used to control gateway access. If you have an Active Directory domain, you can manage gateway user and administrator access from within the Windows Admin Center interface. By default, and if you don’t specify a security group, any user that accesses the gateway URL has access. Once you add one or more security groups to the users list, access is restricted to the members of those groups.

In another guide, I will show you how to enable Microsoft Entra ID. This way, you can choose to add an additional layer of security to Windows Admin Center by requiring Microsoft Entra authentication to access the gateway.

Please, see Kerberos Delegation: A Comprehensive Guide, and how to fix Errors associated with Pleasant Password.

Configure single sign-on

According to Microsoft, when you install Windows Admin Center on Windows 10. It’s ready to use single sign-on. But, when running Windows Admin Center on Windows Server, you need to set up some form of Kerberos delegation in your environment before you can use single sign-on.

Therefore in this section, we will discuss how to configure Single Sign-on (SSO) for Windows Admin center (WACmg). As you can see below. As you can see below, without re-entering your password, you cannot connect to the server.

Windows account for this connection

To fix this, we need to configure Resource-based constrained delegation with the command below. If you wish to configure Role Based Access Control (RBAC) to enable you to provide users with limited access to the machine instead of making them full local administrators, please see this Microsoft Learn Website. 

Set-ADComputer -Identity (Get-ADComputer node01) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer wac)

Remember to replace ManagedNodeFQDN and WACGatewayFQDN with the actual FQDNs of your managed node and WAC gateway, respectively.

Set-ADComputer -Identity "ManagedNodeFQDN" -PrincipalsAllowedToDelegateToAccount "WACGatewayFQDN"
Contrained delegation
The delegation configures the gateway computer as trusted to delegate to the target node.

Verify the Configuration and confirm that the delegation settings are correctly applied correctly. Run the command below.

Get-ADComputer "ManagedNodeFQDN" -Properties PrincipalsAllowedToDelegateToAccount
Verifiy contrained delegation

Now let us try to initiate the connection and as you can see. The single sign-on (SSO) is working correctly.

connecting via sso
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple systems or applications within a single intranet

Lets apply windows updates

connected via sso

Updates found, click on “Install Updates”.

Administer PC

server name cannot be resolved

Please, see How to configure a service account for Kerberos delegation, how to configure Pleasant Password MsSQL SSO, and how to configure and use Pleasant Password RDP SSO.

Manage Hyper-V Fabric

Virtualization Mode is a dedicated management experience built for virtualization infrastructure. Unlike the standard “administration mode” of WAC which is oriented to individual servers. vMode gives a fabric‑level view, letting you centrally manage Hyper‑V hosts, clusters, storage, VMs, and networks at scale.

The official WAC vMode overview mentions that one of its capabilities is “integrated disaster recovery with Hyper‑V Replica. The underlying DR technology is native Hyper‑V Replica. According to Microsoft: Hyper‑V Replica supports three failover scenarios: test failover, planned failover, and unplanned failover.

  • Test failover: You spin up a test VM on the replica host/cluster, based on the latest (or other) recovery point. This test VM is not necessarily connected to production network (by default no network). This is useful to validate that replication works and the VM is bootable.
  • Planned failover: Used when you can gracefully shut down the primary VM/site. It ensures that all changes (on the primary) are replicated to the replica, then you switch over with zero data loss. Good for planned maintenance, data center migrations, etc.
  • Unplanned failover: Triggered when primary VM or host fails (power outage, crash, site failure, etc.). You recover using the latest available recovery point (or earlier, if configured). Depending on when the last replication occurred, there may be some data loss.

As WAC vMode is still in “preview,” there are caveats: it deploys as an appliance (gateway + agents), and manages hosts/clusters, VMs, storage, networks at scale  up to 1,000 hosts and 25,000 VMs per instance.

FAQs

Do I have to configure the constrained delegation directly on the WAC?

No as some blogs insists. That PowerShell command should be run from a system that has the Active Directory module and sufficient privileges to modify AD objects. It does not need to be run on the WAC gateway itself or the target server unless that machine also has the AD module and rights.

How to fix the WinRM client cannot process the request because the server name cannot be resolved?

This error appears when the WinRM client cannot match the name you used (hostname, FQDN, or IP) with a valid Service Principal Name (SPN) in Active Directory or cannot resolve the name to an IP address.

server name cannot be resolved
In my case, I fixed the issue by using IP address.
discovered server

How do I install Windows Admin Center on Windows Server with PowerShell?

Download the latest MSI package from Microsoft’s official site, then install it with administrative privileges. You can run it in Gateway mode using PowerShell. msiexec /i WindowsAdminCenter.msi SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate. After installation, access it via servername:6516. You can change the port as you wish and when accessing.

How can I fix “WinRM cannot complete the operation” in WAC?

Ensure the WinRM service is running, firewall rules are enabled for ports 5985/5986, and the hostname matches the SSL certificate. Also confirm DNS resolution and SPN registration for the target node.

I hope you found this guide useful on how to setup Windows Admin Center Modern Gateway for Single Sign-On.Please, feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , , , , , , , , , , ,

Related Posts

More Related Articles

windows1019h2 Synchronize your Domain Controller with an external time source Windows Server
Specifiy the right credential for adding a domain Specify user account name when adding a DC to an existing Forest Windows Server
windows subsystem What is Windows Subsystem for Linux Windows Server
sdgfdhx MDT Warning: Unable to set working directory, the application returned an unexpected code 2 Windows Server
image 35 How to Activate and Press Ctrl+Alt+Del in Anydesk for Remote Access Connection to Windows system Windows
WindowsTerminalServerRDS Remove a Remote Desktop Service collection Windows Server

Leave a Reply