Setup Windows Admin Center Modern Gateway for Single Sign-On
Windows Admin Center is a browser-based app that the customer self-deploys and uses to manage servers, clusters, hyperconverged infrastructure, and Windows 10 PCs . Recently, we discussed how to upgrade Windows Admin Center 2306 – 2311 and also touched on how to install WACmg 2410. But in this guide, we shall discuss how to setup Windows Admin Center Modern Gateway for Single Sign-On (v2411).
Note: It does not incur any additional costs beyond Windows and can be used immediately in the production environment. Learn more about Windows Admin Center. Also, Microsoft recommends not installing Windows Admin Center for local management of the same server. To manage a server, use Windows Admin Center to connect to the server remotely from a management PC or other server.
Windows Admin Center provides a simple, modern management interface with integrated and hybrid-ready tools, designed for extensibility to streamline both on-premises and cloud-based administration
The image below describes the different installation options for Windows Admin Center, including installing on a Windows PC or a Windows server for use by multiple admins. Below is an image showing the various installation types.
Also, see how to determine What is taking up by Synology NAS Volume Space, how to Download and update Synology DiskStation NAS to DSM 7.3, and how to Patch Veeam Backup and replication 12.3.2.3617 to 12.3.2.4165.
Download Windows Admin Center
You can download Windows Admin Center from this link. Windows Admin Center is a remote management tool for Windows Server running anywhere physical, virtual, on-premises, in Azure, or in a hosted environment at no extra cost.
Note: Installing Windows Admin Center on a Domain controller is not supported
Upon download, double click on the setup file as shown below.
Accept the UAC as shown below. Please, see how to Disable UAC with Group Policy and enable PIN in Windows Hello, and how to enable or disable User Account Control.
On the welcome page, click on Next.
Click on Accept and click Next.
Please, see how to Configure Active Directory-Based Activation (ADBA) for Windows, and how to set up and configure the Key Management System (KMS).
custom setup
Below are the two installation modes available. In this blogpost, I will show you the two. Since I have discussed custom setup previously, I will not complete it here but will discussed the Express setup. Please, follow along.
To proceed, select the custom setup if you wish to provide your own customisation such as ports and FQDN etc.
Select Remote Access
I am interested in Windows Authentication (NTLM or Kerberos) and click Next.
Am I using default port and click Next
If you have a preinstalled certificate certiicate, use it. Else use generate a self-signed certificate and next
Since I have installed Windows Admin Center via the custom setup. I will revert to Express setup
Please, see Add additional CC400W Cameras to Synology Surveillance Station, how to Update Veeam Backup for Proxmox Plugin to support PVE 9.0.
Express Setup
This time, I will be selecting Express setup and click next
I do not have a preinstalled certificate this time, I will select self-signed certificate.
Select to install updates automatically.
I am fined with the first option for required diagnostic data
On a ready to install, click on install.
Preparing to install.
Installation is in progress
Installation is complete. Click on Finish
Please, see How to update Proxmox VE 9.0 now Supported by Veeam, and how to fix Logon Failure: User has not been granted the requested logon type.
Launch Windows Admin Center
Since we are using a self-signed certificate, we will get a certificate warning. Click on Advanced to accept the conenction.
Click on continue to proceed.
Now, enter your your username and password in a SAM Format or UPN as shown below.
We are right in and can now start adding servers to manage.
Add Servers
To add servers, click on Add and on the Add or create resources. Under server, click on Add.
On the Add On, enter the IP, server name or FQDN of the server. Alternatively, search on AD.
Use Another Credential for this Connection
Since we do not have SSO, we have to enter an alternative credential for connection to the server. Since I do not have DNS configured correctly at the moment to resolve my server name, I will be adding the server with my IP.
IP Address entered
Server found, click on Add.
We have successfully connected using the alternative credential.
Connection successful and below is the server overwiew.
Please, see Server Certificate could not be updated: Private key does not match, and how to Fix Error 0x87E10BC6 on a PC running Windows non-core Edition.
Configure SSO – Enable Constrained Delegation
Note: By default, Active Directory or local machine groups are used to control gateway access. If you have an Active Directory domain, you can manage gateway user and administrator access from within the Windows Admin Center interface. By default, and if you don’t specify a security group, any user that accesses the gateway URL has access. Once you add one or more security groups to the users list, access is restricted to the members of those groups.
In another guide, I will show you how to enable Microsoft Entra ID. This way, you can choose to add an additional layer of security to Windows Admin Center by requiring Microsoft Entra authentication to access the gateway.
Please, see Kerberos Delegation: A Comprehensive Guide, and how to fix Errors associated with Pleasant Password.
Configure single sign-on
According to Microsoft, when you install Windows Admin Center on Windows 10. It’s ready to use single sign-on. But, when running Windows Admin Center on Windows Server, you need to set up some form of Kerberos delegation in your environment before you can use single sign-on.
Therefore in this section, we will discuss how to configure Single Sign-on (SSO) for Windows Admin center (WACmg). As you can see below. As you can see below, without re-entering your password, you cannot connect to the server.
To fix this, we need to configure Resource-based constrained delegation with the command below. If you wish to configure Role Based Access Control (RBAC) to enable you to provide users with limited access to the machine instead of making them full local administrators, please see this Microsoft Learn Website.
Set-ADComputer -Identity (Get-ADComputer node01) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer wac)Remember to replace ManagedNodeFQDN and WACGatewayFQDN with the actual FQDNs of your managed node and WAC gateway, respectively.
Set-ADComputer -Identity "ManagedNodeFQDN" -PrincipalsAllowedToDelegateToAccount "WACGatewayFQDN"
Verify the Configuration and confirm that the delegation settings are correctly applied correctly. Run the command below.
Get-ADComputer "ManagedNodeFQDN" -Properties PrincipalsAllowedToDelegateToAccount
Now let us try to initiate the connection and as you can see. The single sign-on (SSO) is working correctly.
Lets apply windows updates
Updates found, click on “Install Updates”.
Please, see How to configure a service account for Kerberos delegation, how to configure Pleasant Password MsSQL SSO, and how to configure and use Pleasant Password RDP SSO.
Manage Hyper-V Fabric
Virtualization Mode is a dedicated management experience built for virtualization infrastructure. Unlike the standard “administration mode” of WAC which is oriented to individual servers. vMode gives a fabric‑level view, letting you centrally manage Hyper‑V hosts, clusters, storage, VMs, and networks at scale.
The official WAC vMode overview mentions that one of its capabilities is “integrated disaster recovery with Hyper‑V Replica. The underlying DR technology is native Hyper‑V Replica. According to Microsoft: Hyper‑V Replica supports three failover scenarios: test failover, planned failover, and unplanned failover.
- Test failover: You spin up a test VM on the replica host/cluster, based on the latest (or other) recovery point. This test VM is not necessarily connected to production network (by default no network). This is useful to validate that replication works and the VM is bootable.
- Planned failover: Used when you can gracefully shut down the primary VM/site. It ensures that all changes (on the primary) are replicated to the replica, then you switch over with zero data loss. Good for planned maintenance, data center migrations, etc.
- Unplanned failover: Triggered when primary VM or host fails (power outage, crash, site failure, etc.). You recover using the latest available recovery point (or earlier, if configured). Depending on when the last replication occurred, there may be some data loss.
As WAC vMode is still in “preview,” there are caveats: it deploys as an appliance (gateway + agents), and manages hosts/clusters, VMs, storage, networks at scale up to 1,000 hosts and 25,000 VMs per instance.
FAQs
Do I have to configure the constrained delegation directly on the WAC?
No as some blogs insists. That PowerShell command should be run from a system that has the Active Directory module and sufficient privileges to modify AD objects. It does not need to be run on the WAC gateway itself or the target server unless that machine also has the AD module and rights.
How to fix the WinRM client cannot process the request because the server name cannot be resolved?
This error appears when the WinRM client cannot match the name you used (hostname, FQDN, or IP) with a valid Service Principal Name (SPN) in Active Directory or cannot resolve the name to an IP address.
In my case, I fixed the issue by using IP address.
How do I install Windows Admin Center on Windows Server with PowerShell?
Download the latest MSI package from Microsoft’s official site, then install it with administrative privileges. You can run it in Gateway mode using PowerShell. msiexec /i WindowsAdminCenter.msi SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate. After installation, access it via servername:6516. You can change the port as you wish and when accessing.
How can I fix “WinRM cannot complete the operation” in WAC?
Ensure the WinRM service is running, firewall rules are enabled for ports 5985/5986, and the hostname matches the SSL certificate. Also confirm DNS resolution and SPN registration for the target node.
I hope you found this guide useful on how to setup Windows Admin Center Modern Gateway for Single Sign-On.Please, feel free to leave a comment below.
