How to Enable SSO Auth to On-Premises resources with Entra ID

Organizations that we wish to use TruGrid SecureRDP with hybrid AD / Entra ID authentication to access entra-joined and hybrid-joined computers via SSO must configure Entra ID and Active Directory as directed by Microsoft.

Microsoft Documentation covering this process:

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-s…

Prerequisites

• TruGrid SSO Plugin is installed and Service is running
• Endpoints running RDP client software must be running Windows 10 version 2004 or later
• Windows domain controllers must run Windows Server 2016 or later and be fully updated
• The domain controller running PowerShell commands must have internet access to Azure
• All the below PowerShell commands have to be ran in ELEVATED PowerShell window
• AD joined host devices must be AzureAD Hybrid Joined, you can check this using the command

dsregcmd /status

Below are the required steps

1. Enable passkeys (FIDO2) for the organization. Details here: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

Below screenshot is an example of how things should look when FIDO2 is enabled

2. OPTIONAL: If "Network security: Configure encryption types allowed for Kerberos" policy is configured on domain controllers, please **Enable AES256_HMAC_SHA1 **as shown below:

3. Create the Kerberos object

On a domain controller in the environment, please run the following PowerShell commands to create the Kerberos Object:

a. Enable TLS 1.2 for PowerShell gallery access:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

b. Install the AzureADHybridAuthenticationManagement PowerShell module:

Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

c. Specify the on-premises Active Directory domain. A new Microsoft Entra ID Kerberos Server object will be created in this Active Directory domain

d. Enter an Azure Active Directory Hybrid Identity Administrator username and password

e. Enter a Domain Administrator username and password

f. Create the new Microsoft Entra ID Kerberos Server object in Active Directory and then publish it to Azure Active Directory

$domain = $env:USERDNSDOMAIN

$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Hybrid Identity Administrators group for Microsoft Entra ID.'

$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group and an Enterprise Admin for the forest.'

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

g. Verification: Within existing session, run below PowerShell command to verify that Kerberos Object has been created in AD:

Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential (get-credential)

The output should look similar to this:

And the AD object will be created under Domain Controllers:

Test SSO Login Experience

If everything is configured properly, the use of TruGrid Windows Connector with TruGrid's SSO Plugin will enable end users to use their EntraID credentials to SSO over RDP into their hybrid-joined devices. This gif illustrates the end user experience first time login on a device (the prompt to allow connection will show up only once), after they are already authenticated with their Office365 account for the TruGrid connector:

Updated on: 20/02/2026