Unable to sign into Windows Virtual Desktop session - Error: Sign in failed. Please check your username and password and try again.
Hi All,
Goal: Setup a cloud environment that allows cloud users to be able to log into the Windows Virtual Desktop
Context:
I have signed up for the 90 day trial Azure AD Premium P2 license which also supplies the Microsoft 365 E5 Developer [without Windows and Audio Conferencing].
Also using my admin account created within the trial tenant, I have signed up for the 12month of free services with USD200 credit.
I have configured the Azure AD DS [no errors when provisioned]. Kept the default domain name. I have set-up the Windows Virtual Desktop following the set-up wizard.
Issue:
I have successfully signed into my workspace using a cloud user credential via web client [//rdweb.wvd.microsoft.com/arm/webclient]. When attempting to launch the session desktop, it prompts me to re-enter my credentials in which it returns sign in error [see attached image]
Troubleshoot steps:
Updated my cloud user password after AAD DS was created
Created new cloud user
Recreated the Host pool - Multisession
If anyone could provide some assistance, it would be much appreciated.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
@Ice-9041
Wanted to check few things here based on the issue description.
Firstly, have you enabled the diagnostics on the service or enabled the tracing in the browser client to identify further info?
Are you using the UPN or sAMAccountName?
Assuming cloud only identity, after the password reset I assume you have waited 15min for the password hash to sync?
Are the VMs properly joined to the AAD DS domain?
Are the users synced to AAD DS?
Hi @vipullag-MSFT
The issue is now resolved as I have just re-created the VM Host pool [not sure what exactly was the problem].
To answer your questions:
Yes, I have enabled diagnostics and it didn't really provide much regarding sign in issues.
I am using the UPN to sign in
I have reset the password and waited 20 or so minutes.
VM is joined to the AAD DS domain as I checked by utilises the run commands and users are synced to AAD DS.
Correction, so previously it was working and then I shutdown the VM to save spend.
2 hours later, I start up the VM and now I cannot login again. Receiving same error message as per image attached.
@Ice-9041 ,
I had the same issue, and it was intermittent. After checking with Microsoft Support, here's what it should be done :
1- User should be granted Virtual Machine User Login or Virtual Machine Administrator Login role. : DONE
2- If using the web, Android, macOS, and iOS clients, you must add targetisaadjoined:i:1 as an RDP property to the host pool. : DONE
3- Per-user MFA has not been supported in AAD joined AVD, you must disable the legacy per-user multifactor authentication. THAT'S WHAT WAS MISSING
I connected to Microsof365 admin center and disabled per-user MFA [You can run a PowerShell script as well], after that, all tested users successfully connected to the VM.
You can check this post : //docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required
Hope this helps you.
Just an update I believe this is what resolved the problem.
I had to enable the PKU2U local policy on both client and VM.
See //docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities for more details.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Azure Virtual Desktop - sign in failed
I want to set up Azure Virtual Desktop and everything is deployed but there is no possibility to log in. Created the host pool, Desktop Application Group and a workspace, then added users to the DAG and gave them the "Desktop Virtualization User" IAM role in the application group resource.
My domain controller is hosted in Azure with Azure AD Domain Services. When I try to log in to the virtual desktop using the web client: //rdweb.wvd.microsoft.com/arm/webclient/index.html, I can log in via Microsoft, I can see the workspace and the session host, however connect to it and enter my credentials, I get the error: Sign in failed. Please check your username and password and try again.
The credentials are fine - I've tried on multiple different accounts. Connecting using the Azure provided RDP client does not work as well. What am I missing here? I've followed dozens of tutorials, watched dozens of youtube videos on this topic and it seems so simple, yet in my case it is not working at all.
I've reseted the passwords for the users, still no luck.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Are there any logs you could share for further hints?
You can also try logging in using the DOMAIN\username format.
@RobertFlisak-0347
It sounds like you're having/had the same issues as I did. This Microsoft article helped point me in the right direction regarding MFA and Conditional Access policies.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Issue – AVD could not connect to session desktop
I have seen this exact error “couldn’t connect to session desktop” many times and a couple of AVD PoC testers raised this issue.
Error Message – Oops, we couldn’t connect to “Session Desktop” – we couldn’t connect to the remote PC because the admin has restricted the type of logon that you can use. Ask your admin or tech support for help.
Cause of AVD Admin has Rejected Type of Login Error
Well, the cause of this admin has restricted the type of logon error when you try to connect to session host in AVD is mainly because of ignorance of the end-user. What? Yes of course. This is why I highlighted in the first paragraph of this post that I have seen this issue mostly with PoC/Test environments.
In PoC or Test environment, the test users might have more than one user accounts to test and certify different scenarios. This error occurs when:
- User Logs into AVD Web client with a user ID [for example – [emailprotected]].
- Click on Remote Desktop Icon to logon to session desktop/remote PC.
- The user [[emailprotected]] will get prompted to re-enter the user name and password [domain-level authentication].
- But because of user error or ignorance – The user enters a different user name [anoop2@htmdforum.com] and password.
- Click on Submit button.
Fix Unable to RDP VM using Azure AD Credentials Issues
As mentioned earlier, I will cover the troubleshooting steps to resolve the common issue unable to RDP VM using Azure AD credentials. If you want to RDP a VM that is in Azure with Azure AD credentials, you need to ensure the required settings are in place.
Suppose that you are connecting with Remote Desktop [RDP] to an Azure AD joined computer with a user account. The connection we want to establish is to an Azure AD joined computer, logging on with an account from Azure AD.
Network Requirements
To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure your VMs network configuration permits outbound access to the following endpoints over TCP port 443:
For Azure Global
- //enterpriseregistration.windows.net – For device registration.
- //169.254.169.254 – Azure Instance Metadata Service endpoint.
- //login.microsoftonline.com – For authentication flows.
- //pas.windows.net – For Azure RBAC flows.
For Azure Government
- //enterpriseregistration.microsoftonline.us – For device registration.
- //169.254.169.254 – Azure Instance Metadata Service.
- //login.microsoftonline.us – For authentication flows.
- //pasff.usgovcloudapi.net – For Azure RBAC flows.
Step 1 – Enable Azure AD login for Windows VM
Long ago, Microsoft announced Azure AD authentication to Windows Virtual Machines [VMs] in Azure giving you the ability to manage and control who can access a VM.
The Azure AD login for Windows VM in Azure needs to be manually enabled. You can enable this option while creating a new Virtual Machine in Azure. With this option enabled you can use your corporate AD credentials to login to Windows VMs in Azure.
If you are creating a new VM in Azure and you want to Log in using Azure AD credentials, you must enable the Login with Azure AD option.
There are two ways to enable Azure AD login for a VM in Azure.
- You can enable in Azure Portal while creating a VM.
- You can also use the Azure Cloud Shell experience when creating a Windows VM or for an existing Windows VM.
In the Azure portal, on the Create a Virtual machine window, select Management and under Azure AD, select Login with Azure AD. With this option enabled, you can log in to the VM using the Azure AD credentials.