SCAC 2012 SP1 in a LAB – Configuration Guide (Enable Single Sign-On)

How to Enable Single Sign-On for App Controller

By default, App Controller is enabled to prompt users to sign in by entering their Active Directory user name and password. The following procedures describe how to configure App Controller to use the user’s current Windows credentials to automatically sign on.

To verify or change the authentication method

Open IIS manager on the App Controller server.

Select the App Controller website.

Expand the website and select the /api node.

Click Authentication.

Enable Windows Integrated Authentication.

Disable Basic Authentication.


Here is a video walk through:


To turn on constrained delegation

Log on using an account that has OU Administrator privileges in Active Directory Domain Services. Ensure that this account is also granted the SeEnableDelegationPrivilege user right (for example, a domain administrator could run the command ntrights -u domainuser +r SeEnableDelegationPrivilege on a domain controller, where domain/user represent the domain and account name for the account).

In Active Directory Users and Computers, right-click the App Controller system and click Properties.

Click the Delegation tab.

Select the Trust this computer for delegation to specified services only option.

Select the Use any authentication protocol option.

Click Add and then do one of the following:

  1. If the VMM management server is running under the Local System account, enter the name of the VMM management server and select HOST, and then click OK.
  2. If the VMM management server is running under a domain account, enter the name of domain account and select SCVMM, and then click OK.

Restart the App Controller management server.

Here is a video walk through:

In my video above, you will see that the pass-through authentication didn’t work; as I was still prompted for a username and password. Below is an additional video showing the additional changes I had to make in Internet Information Services (IIS) to make the single sign-on / pass-through authentication to work.

%d bloggers like this: