Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Using ASG Client from AADJ device with federated accounts to existing Onprem DB
#1
Hi,
we started to use Azure AD only joined devices with federated AD users in the cloud.
For a SSO user expierience we implemented Kerberos for users --> How SSO to on-premises resources works on Azure AD joined devices | Microsoft Docs
The client software could successfully installed, so no issue here, including the SQL connection, ... passed the connection test :-)
When trying to connect with login type "Windows Account" and "integrated" feature we get an error.

In the second error message I can see that the client software using the current known user SID that is different to the AD onprem SID.
(... could be validated with "whoami /user" ... shows the Domain\account name and the "Azure ObjectID - SID" (S-1-12-1....)
Is there a possible workaround?
Maybe newer versions using the Kerberos Token directly?
Any other idea or suggestion?

Thx in advance
ASM
Reply
#2
I think you have to add your Azure AD to the "Domains" in Settings-Domains - then you can choose Accounts/Groups from that Domain in Permissions
Regards/Gruss
Oliver
Reply
#3
(24-11-2020, 12:00 PM)DevOma Wrote: I think you have to add your Azure AD to the "Domains" in Settings-Domains - then you can choose Accounts/Groups from that Domain in Permissions

When I talk about Azure AD i doesn´t mean a classic onprem active directory, it is the azure active directory in the Micrsosoft Cloud.
The computers are not joined into the classic domain, only to the cloud. The users still have a valid kerberos ticket for authentficiation.
But the ASG-RD client isn´t using it.
Reply
#4
Ok - then I can put it on the feature list to support this scenario in the future
Regards/Gruss
Oliver
Reply
#5
(26-11-2020, 01:10 PM)DevOma Wrote: Ok - then I can put it on the feature list to support this scenario in the future

okay understand, the scenario is currently not supported

Thanks for the clarification
Reply
#6
But did you try to add the Azure domain to "Domains" in Settings? Perhaps you can't use "Integrated" login - but it should be possible to authenticate against the Azure AD - just select or type the domain in login dialog and username / password - then it should work or not?
Regards/Gruss
Oliver
Reply
#7
(26-11-2020, 03:46 PM)DevOma Wrote: But did you try to add the Azure domain to "Domains" in Settings? Perhaps you can't use "Integrated" login - but it should be possible to authenticate against the Azure AD - just select or type the domain in login dialog and username / password - then it should work or not?

Okay, not yet, we will give them a try tomorrow
and provide feedback
Reply
#8
I would like to revive this post. We too use an AzureAD join for mobile workstations and are therefore not in a local domain.... when connecting to the local windows account ASG shows me my PC name.... here it would be great if ASG would support SSO to log in with my domain account, as it is annoying to enter a long PW every time.

Thanks in advance, i really hope for implementation of that feature
Reply
#9
I do not really understand where you have to type your password or where you want to have SSO?!?
Regards/Gruss
Oliver
Reply
#10
(02-02-2021, 04:03 PM)DevOma Wrote: I do not really understand where you have to type your password or where you want to have SSO?!?

When i start ASG Remote Desktop App, then i log in to the Database Server. 

I normally do this with the Checkbox "Integrated". When i tick the "Integrated" Box on startup, ASG tries to use my local PC Name as my Domain.

I can only log into ASG, when i uncheck this box and type in my username and password and manually type in the domain. This is because of AzureAD Integration on my Laptop. 

We would need a capability for ASG to recognize a AzureAD Device and add the domain to the login form...
Reply
#11
Ok understand - let me check how it is handled and then we try to optimize...
Regards/Gruss
Oliver
Reply
#12
(10-02-2021, 11:20 AM)DevOma Wrote: Ok understand - let me check how it is handled and then we try to optimize...

Thank you, i'll wait for a reply  Big Grin
Reply
#13
(10-02-2021, 11:20 AM)DevOma Wrote: Ok understand - let me check how it is handled and then we try to optimize...

Any news? I'm having the same issue.
Reply
#14
We try to implement better integration for the next release...
Regards/Gruss
Oliver
Reply
#15
(17-02-2022, 01:21 PM)DevOma Wrote: We try to implement better integration for the next release...

Hi Oliver

Great news. When will that release be available? Is there a preview version out yet?
Reply
#16
Planned for Mid/End of March - no preview currently
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)