Unable to sign into Windows Virtual Desktop session - Error: Sign in failed. Please check your username and password and try again.
Hi All,
Goal: Setup a cloud environment that allows cloud users to be able to log into the Windows Virtual Desktop
Context:
I have signed up for the 90 day trial Azure AD Premium P2 license which also supplies the Microsoft 365 E5 Developer [without Windows and Audio Conferencing].
Also using my admin account created within the trial tenant, I have signed up for the 12month of free services with USD200 credit.
I have configured the Azure AD DS [no errors when provisioned]. Kept the default domain name. I have set-up the Windows Virtual Desktop following the set-up wizard.
Issue:
I have successfully signed into my workspace using a cloud user credential via web client [//rdweb.wvd.microsoft.com/arm/webclient]. When attempting to launch the session desktop, it prompts me to re-enter my credentials in which it returns sign in error [see attached image]
Troubleshoot steps:
Updated my cloud user password after AAD DS was created
Created new cloud user
Recreated the Host pool - Multisession
If anyone could provide some assistance, it would be much appreciated.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
@Ice-9041
Wanted to check few things here based on the issue description.
Firstly, have you enabled the diagnostics on the service or enabled the tracing in the browser client to identify further info?
Are you using the UPN or sAMAccountName?
Assuming cloud only identity, after the password reset I assume you have waited 15min for the password hash to sync?
Are the VMs properly joined to the AAD DS domain?
Are the users synced to AAD DS?
Hi @vipullag-MSFT
The issue is now resolved as I have just re-created the VM Host pool [not sure what exactly was the problem].
To answer your questions:
Yes, I have enabled diagnostics and it didn't really provide much regarding sign in issues.
I am using the UPN to sign in
I have reset the password and waited 20 or so minutes.
VM is joined to the AAD DS domain as I checked by utilises the run commands and users are synced to AAD DS.
Correction, so previously it was working and then I shutdown the VM to save spend.
2 hours later, I start up the VM and now I cannot login again. Receiving same error message as per image attached.
@Ice-9041 ,
I had the same issue, and it was intermittent. After checking with Microsoft Support, here's what it should be done :
1- User should be granted Virtual Machine User Login or Virtual Machine Administrator Login role. : DONE
2- If using the web, Android, macOS, and iOS clients, you must add targetisaadjoined:i:1 as an RDP property to the host pool. : DONE
3- Per-user MFA has not been supported in AAD joined AVD, you must disable the legacy per-user multifactor authentication. THAT'S WHAT WAS MISSING
I connected to Microsof365 admin center and disabled per-user MFA [You can run a PowerShell script as well], after that, all tested users successfully connected to the VM.
You can check this post : //docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required
Hope this helps you.
Just an update I believe this is what resolved the problem.
I had to enable the PKU2U local policy on both client and VM.
See //docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities for more details.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
azuread login issues with azure virtual desktop
Hi All,
I am trying to explore the azure virtual desktop with azuread joined in it [not azure AD DS].
here are the steps I have followed
1. created virtual desktop pool with one windows 10 vm in it.
2. granted virtual machine user login , desktop virtualization user role assigned to the workspace and application group.
3. I have also assigned this vm to my user in hostpool assig option.
4. from bastion host, I can see from about pc This vm is joined to AzureAD.
5. when I try to login from following link, [cred passed are Username- AzureAD\ password-working password] I am getting this error "Oops, we couldn't connect to "SessionDesktop"
Sign in failed. Please check your username and password and try again."
//rdweb.wvd.microsoft.com/arm/webclient/index.html
6. we have conditional access MFA is enabled.
I have gone through multiple documents, various troubleshooting forums , but still not getting any solution. can you please advise what I should check to make this work.
thanks in advance.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
khsarvaiya-6096
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Have you completed all of the steps outlined here: //docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#assign-user-access-to-host-pools
Also, this section is very important. Make sure you have everything in place as below:
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
thanks @AlanKinane for reply. appreciate it.
yes I have gone though this link as well.
1. yes I have assigned "Virtual Machine User Login" role to that VM and resource group both.
2. in host-pool ->RDP properties-> advance I have also added targetisaadjoined:i:1
3. in host-pool I have assigned to this VM.
then I tried with "azuread\" , "AzureAD\" , ""
but it is not working and shows same error.
Sorry for asking, but you mentioned you have MFA enabled. So have you performed these steps also?
If possible, maybe temporarily disable MFA for this account so MFA can be ruled out as an issue.
Also, have you rebooted the session host[s] since adding the RDP property: targetisaadjoined:i:1
thanks @AlanKinane for the immediate response on this, really appreciate it.
yes I have rebooted that vm.
for MFA, I understood that we can use MFA in this setup, so we dint disturb that for this setup.
But for disabling the MFA, I would need to check with our org admin. as this is applied to all org users and to check its impact.
I will check and update.
thanks.
Azure Virtual Desktop - sign in failed
I want to set up Azure Virtual Desktop and everything is deployed but there is no possibility to log in. Created the host pool, Desktop Application Group and a workspace, then added users to the DAG and gave them the "Desktop Virtualization User" IAM role in the application group resource.
My domain controller is hosted in Azure with Azure AD Domain Services. When I try to log in to the virtual desktop using the web client: //rdweb.wvd.microsoft.com/arm/webclient/index.html, I can log in via Microsoft, I can see the workspace and the session host, however connect to it and enter my credentials, I get the error: Sign in failed. Please check your username and password and try again.
The credentials are fine - I've tried on multiple different accounts. Connecting using the Azure provided RDP client does not work as well. What am I missing here? I've followed dozens of tutorials, watched dozens of youtube videos on this topic and it seems so simple, yet in my case it is not working at all.
I've reseted the passwords for the users, still no luck.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Are there any logs you could share for further hints?
You can also try logging in using the DOMAIN\username format.
@RobertFlisak-0347
It sounds like you're having/had the same issues as I did. This Microsoft article helped point me in the right direction regarding MFA and Conditional Access policies.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Connections to Azure AD-joined VMs
- Article
- 12/05/2021
- 4 minutes to read
- 3 contributors
Is this page helpful?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Thank you.
In this article
Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects.
Use this article to resolve issues with connections to Azure Active Directory [Azure AD]-joined VMs in Azure Virtual Desktop.
After deploying the AVD with options of join this device to Azure AD join and Enroll with intune, user Azure AD join user sign in failed
After deploying the AVD with options of join this device to Azure AD join and Enroll with intune
We are trying with login with one of the corporate credential and shows the below error
OOPS, we couldn't connect to SessionDesktop -- Sign in failed please check your username and password and try again
In MS doc's article we found this line: "Azure AD-joined VMs only supports local user profiles at this time"
By this point AVD is only support local profile even if the device joined into Azure AD join and by using corporate credential we can't sign user profile in the Azure VM Windows 10
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Hi @NaveenMurugesan-9800
If you come across an error saying The logon attempt failed on the Windows Security credential prompt, verify the following:
You are on a device that is Azure AD-joined or hybrid Azure AD-joined to the same Azure AD tenant as the session host OR
You are on a device running Windows 10 2004 or later that is Azure AD registered to the same Azure AD tenant as the session host
The PKU2U protocol is enabled on both the local PC and the session host
Per-user MFA is disabled for the user account as it's not supported for Azure AD-joined VMs.
--If the reply is helpful, please Upvote and Accept as answer--
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
@NaveenMurugesan-9800 Apologies for the delay in response and all the inconvenience caused because of the issue.
Please make sure the users are added to the desktop application group and they have these RBAC roles. For Azure AD-joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Azure Active Directory Domain Services-based deployments:
Assign your users the Virtual Machine User Login role so they can sign in to the VMs.
Assign administrators who need local administrative privileges the Virtual Machine Administrator Login role.
The error is nothing to do with the profiles. You need to ensure that you have enabled
1. The users with the Virtual Machine user Login RBAC permission: //docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#assign-user-access-to-host-pools
2. If using other clients besides MSRDC they need to add targetisaadjoin:i:1 as a RDP property [in advanced]: //docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#connect-using-the-windows-desktop-client
Also we do support personal desktops there is no support for FSLogix yet.
Hope it helps!!!
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Issue – AVD could not connect to session desktop
I have seen this exact error “couldn’t connect to session desktop” many times and a couple of AVD PoC testers raised this issue.
Error Message – Oops, we couldn’t connect to “Session Desktop” – we couldn’t connect to the remote PC because the admin has restricted the type of logon that you can use. Ask your admin or tech support for help.
Cause of AVD Admin has Rejected Type of Login Error
Well, the cause of this admin has restricted the type of logon error when you try to connect to session host in AVD is mainly because of ignorance of the end-user. What? Yes of course. This is why I highlighted in the first paragraph of this post that I have seen this issue mostly with PoC/Test environments.
In PoC or Test environment, the test users might have more than one user accounts to test and certify different scenarios. This error occurs when:
- User Logs into AVD Web client with a user ID [for example – [emailprotected]].
- Click on Remote Desktop Icon to logon to session desktop/remote PC.
- The user [[emailprotected]] will get prompted to re-enter the user name and password [domain-level authentication].
- But because of user error or ignorance – The user enters a different user name [anoop2@htmdforum.com] and password.
- Click on Submit button.