Tag: entra-id

IGEL smart card Auth to Azure Virtual Desktop – Soon in the IGEL App Portal! You can take it for a test drive already now!

By Fredrik Brattstig @virtualbrat

2024-September-24
IGEL has been hard at work, together with Microsoft, to enable smart card authentication support for Azure Virtual Desktop (AVD). It is finally here!
This means that you can now login to Microsoft Azure Virtual Desktop using your smartcards, leveraging Entra ID Certificate Based Authentication https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication

The key to making this possible is the integration of Microsoft Authentication Library (MSAL) in the Microsoft-provided SDK that IGEL is using to build their AVD client-side app. Entra ID certificate based authentication was chosen by Microsoft as the authentication method for 3rd party AVD clients, as it is modern, and it is very easy to get started. I’ve set this up myself in my Microsoft MVP tenant and it is actually super simple. You will need the signer root certificate issuing user certificates, take that signer root certificate and upload to Entra, and configure the Certificate Based authentication following this guide: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication
I’m using an internal PKI based on Active Directory Certificate Services in my on-prem LAB. I’m using my Active Directory domain to issue smart card certificates. I uploaded the CA Root certificate to Microsoft Entra and followed the guide to get it all going.

On the IGEL Side, you will need your designated middleware installed, IGEL OS 12 comes with OpenSC middleware installed by default, and the IGEL App Portal will let you install the middleware you need for your environment if you need a different middleware. You can find a list of the middleware’s available generally by browsing https://app.igel.com and selecting smartcard as category on the left-hand side of the webpage.
You will also need IGEL OS 12 version 12.5.0 or higher which can be found here: https://app.igel.com/base_system/12.5.0 . And for the time being, as certificate based authentication for Azure Virtual Desktop is currently in Technical Preview state you will need to get in contact with your favorite IGEL Sales Engineer to get your hands on the IGEL Azure Virtual Desktop App 1.3.0.TP3. It can even privately be published to you as a private app through the IGEL App Portal.

So, there are a few moving parts to get this going. Feel free to set up a private call with me if you would like to discuss how this is done. You will find a possibility to book a meeting on the virtualbrat.com main page, in the left-hand part of the page, look for “Book time with Fred Brattstig” to request a meeting.

How to – configure you IGEL OS endpoint – Add an AVD session and test Certificate Based Authentication to Azure Virtual Desktop

Prerequisite: have the IGEL Azure Virtual Desktop installed to the UMS through the IGEL App Portal, or by importing the .ipkg-file, and you need the middleware used by your organization installed on your endpoint.
(If configuring a single IGEL OS endpoint, without the UMS, start the IGEL Setup utility and follow the instructions below from bullet 3.)

  1. In the WebUMS, create a new profile, Select OS 12 and give the profile a Name representing its intention (eg. AVD Smart Card enabled session) – Click Select Apps
  2. Select IGEL Azure Virtual Desktop and click Save
  3. Make sure that Apps tab is selected, expand AVD and select AVD Sessions
  4. Click the + sign to create a session
  5. Edit the Session Name (eg. AVD Smart Card enabled session)
  6. Click Save and assign this profile to your IGEL OS 12 endpoint.

Yes, it is actually that easy!

How-To: I’m an Azure GOV customer, how do I get started testing this for Azure GOV AVD environments?

Create the AVD Session

Prerequisite: have the IGEL Azure Virtual Desktop installed to the UMS through the IGEL App Portal, or by importing the .ipkg-file, and you need the middleware used by your organization installed on your endpoint.
(If configuring a single IGEL OS endpoint, without the UMS, start the IGEL Setup utility and follow the instructions below from bullet 3.)

  1. In the WebUMS, create a new profile, Select OS 12 and give the profile a Name representing its intention (eg. AVD Smart Card enabled session) – Click Select Apps
  2. Select IGEL Azure Virtual Desktop and click Save
  3. Make sure that Apps tab is selected, expand AVD and select AVD Sessions
  4. Click the + sign to create a session
  5. Edit the Session Name (eg. AVD Smart Card enabled session)
  6. Click on System tab -> Click on Registry
  7. Expand app and edit the values in Configuration Settings below
  8. Click Save and assign this profile to your IGEL OS 12 endpoint.

Configuration Settings specific to Azure GOV – get in contact with me, or with the IGEL federal team for guidance!

What is the user experience when Smart card Authentication is in use to access Azure Virtual Desktop in IGEL OS?

I’m glad you asked, luckily I have prepared a video that shows the auth flow. Have a look, and enjoy Strong Authentication using IGEL OS and Azure Virtual Desktop!