In a pure cloud Azure Environment you may be utilizing Azure Active Directory Domain Services (AADDS) for LDAP queries and Kerberos authentication. You also require AADDS if you wish to use the Integrated Windows Authentication SSO option when publishing internal apps via Azure App Proxy. IWA arguably provides the best user experience in terms of SSO when publishing apps via Azure App Proxy so how do we set this up?

Well firstly you app needs to support windows authentication (fairly straight forward for IIS sites) then its important to understand the constraints of AADDS:

On an Azure AD Domain Services managed domain, you do not have domain administrator privileges. Therefore, traditional account-based KCD cannot be configured on a managed domain. Use resource-based KCD as described in this article. This mechanism is also more secure.

(This also means you may run into trouble using ktpass)

You must also ensure you have enabled password hash synchronization. For cloud only user accounts this is simply a case of ensuring users change their password once AADDS has been deployed, details found here.

Next ensure you app servers are domain joined to the managed domain, you will need to use an account that is a member of the Azure AD DC administrators group (Only members of this group have privileges to join machines to the managed domain).

*Note you may need to create a custom OU first in the managed domain then pre-create computer accounts in the custom OU before joining the computer to the domain. You can use ADUC from a domain joined machine to achieve this.

Now install the Active Directory module for Windows PowerShell from server manager (Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools) you may wish to do this on you app proxy connector server.

Finally run the following command:

$ImpersonatingAccount = Get-ADComputer -Identity "APPROXYCONNECTORSERVER"
Set-ADComputer "WEBSERVER" -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount

Where APPROXYCONNECTORSERVER is the hostname of the machine you installed the App Proxy connector and WEBSERVER is hostname of your webserver.

If you haven’t already you need to configure an SPN:
Configure SPN > Login to webserver > Open elevated command prompt
Run: setspn -s http/ webserver
Run: setspn -l webserver to check

Now back in the Azure portal its simply a case of going to your enterprise application selecting Add SSO > choose Configure Integrated Windows Authentication (IWA)
SPN: http/

Wait a couple of minutes and then the SSO element should work as expected.