Forum Discussion

Christian_Montoya's avatar
Jul 17, 2019

[Announcement] Connectivity issues from synchronized users to VMs joined to AAD DS

Hi everyone, thanks for the continued testing of WVD. We’ve seen multiple connection errors with UPN when connecting to VMs joined to Azure AD Domain Services. We’ve done some preliminary investigations and figured out which scenarios are currently affected and which scenarios should continue to work.

 

Works

Logging into VM joined to Azure AD DS instance with Azure AD user sourced from Azure Active Directory (aka, New user created just in Azure AD).

 

Does not work (and investigating fix)

Logging into VM connected to Azure AD DS with Azure AD user sourced from Windows Server AD (aka, synchronized to Azure AD through Azure AD Connect).

 

You will see an error in the Diagnostics similar to below:

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the
orchestration reply from the agent for user ≤user1@contoso.com≥ with Id
54a45a4c-41ad-4374-5e41-08d6e4d9acde. This scenario is not supported - we will not be able to
redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/16/2019 3:17:24 PM

 

Workaround

If your setup matches the description but you would still like to test, we suggest creating cloud users in Azure Active Directory for the time being.

 

Resolution

No current ETA, but working towards a fix.

 

How to check where your user is sourced from

You can navigate to the Azure AD portal or the Azure Active Directory blade in the Azure portal, then go to users:

Locate where the Azure AD user is sourced.

  • Christian_Montoya would be great to get an update on when this will be fixed - we were happily using this with this setup then in abruptly broke and we've been investigating on and off as time allowed ever since.

     

    Now i stumbled across this issue (after finally figuring out how to debug what was going wrong). Do we have an ETA as this is now a total block on us using WVD.

     

    I'm really disappointed as this is the 2nd major stumbling block - we've fully adopted Azure AD and the lack of support for Azure AD join is the other one.

     

    This can be such a good solution it's just so frustrating.....

  • cititechs's avatar
    cititechs
    Copper Contributor

    Christian_Montoya  Any update on this  ? As others have reported we are at a stand still. 
    Synced from on-premise aren't working.  I have tried validation pools and still no luck with Sync accounts. 

     

     

    • jeffb8's avatar
      jeffb8
      Brass Contributor
      Seems like we’re in store for a repeat of Azure RemoteApp.
      • jeffb8 : Just to get more clarity, is it primarily this issue that you think will make it the next Azure RemoteApp? Is there other functionality that we're missing, should be focusing on, or should be fixing?

    • acalvert's avatar
      acalvert
      Copper Contributor

      Fantastic!! I just successfully logged into a desktop session on an account that was previously not working due to the SID issue, no reconfiguration required beforehand, literally just tried the login again and it worked perfectly.

  • ashro2's avatar
    ashro2
    Copper Contributor

    Christian_Montoya 

    I know before the post that Cloud ID only is working but that is not valid for our production POC

    i been testing with cloud ID only and that works , further more the issue with synced account, it looks like recently (because this was working before) you doing  SID check between the azure synced account and the account in azure DS and that will not match. i'm wondering if the scenario without azure DS , i mean extending AD to the cloud and join the virtual desktop machines to the same domain will have the same issue or not for synced user account.

    • ashro2 : Thanks for the clarifying question, but no, the issue will not replicate if you have a hybrid setup and are joining your virtual machines to the domain that is syncing up the users with Azure AD Connect. The primary issue lies in the SID check, and that Azure AD DS creates a new SID (by design) for the users that it creates on the managed domain services instance.

      • ashro2's avatar
        ashro2
        Copper Contributor

        Christian_Montoya 

        Thanks   i came to the same conclusion when looking ate the object SID in AAD and Azure DS and the Mismatch. i have 2 comments 

        1. this check was introduced recently because this scenario was working before , is it possible to trun off this check of the SID? I saw the feedback on the form suggested moving the pool to validation pool where you deployed a fix for the issue but looks like that is not working as well. so is there a way to trun off this check i can do in my side?

         

        2. is there a way to modify the Azure DS object SID to match AAD ? we don't have much control over the object in Azure DS I realized ?

         

        it will be great if we can manually turnoff this SID check manually at least for testing

  • Christian_Montoya 

     

    Hi Christian,

     

    I seem to be experiencing the exact same error in a test environment. However, the user is sourced from Azure Active Directory.

     

    I would be happy to help troubleshoot since I have clients looking forward to WVD. below is some info that might be relevant and if you need identifying tenant info I'll be happy to send via PM:

     

    ErrorSource : RDBroker
    ErrorOperation : OrchestrateSessionHost
    ErrorCode : -2146233088
    ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
    ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤username≥ with Id <id>. This scenario is
    not supported - we will not be able to redirect the user session.
    ErrorInternal : False
    ReportedBy : RDGateway
    Time : 7/28/2019 14:17:15

     

    TenantName : IC-WVD2
    TenantGroupName : Default Tenant Group
    HostPoolName : Desktop
    FriendlyName :
    Description :
    Persistent : False
    CustomRdpProperty :
    MaxSessionLimit : 999999
    LoadBalancerType : BreadthFirst
    ValidationEnv : True
    Ring :

  • MrTbone_se's avatar
    MrTbone_se
    Copper Contributor

    Hi,

    We have just noticed the same problem in our test environment.

    But a strange thing is that it only affects one of the 17 pilot users.

     

    The users were synced from a local AD to Azure AD.

    Azure AD connect sync was removed 1 year ago.

    Azure AD services was setup to support the WVD environment.

    Users envolved in pilot had to reset their passwords and could then logon.

     

    But now, one user gets the error message:

    SID value in the database is different than the value returned in the orchestration reply from the agent for user...

     

    The Hostpool is in "validation" 

    <#

    ErrorSource      : RDBroker
    ErrorOperation    : OrchestrateSessionHost
    ErrorCode        : -2146233088
    ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
    ErrorMessage      : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤a.b@domain.se≥ with Id b663bb3d-3f67-42e9-f891-08d6fb3eb712. This scenario is not supported - we will not be able to redirect the user session.
    ErrorInternal    : False
    ReportedBy        : RDGateway
    Time              : 2019-07-18 09:36:42
     
    ErrorSource      : Client
    ErrorOperation    : ClientRDPConnect
    ErrorCode        : 2147965400
    ErrorCodeSymbolic :
    ErrorMessage      : Your computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance.
    ErrorInternal    : True
    ReportedBy        : Client
    Time              : 2019-07-18 09:36:42

    #>

     

     

    • Christian_Montoya's avatar
      Christian_Montoya
      Icon for Microsoft rankMicrosoft

      MrTbone_se : As it stands now, the issue stems from the SID's being synchronized as part of the Azure AD token and then receiving a different one through Azure AD Domain Services. Are you aware of any difference of properties between this 1 user and the other 16?

      • MrTbone_se's avatar
        MrTbone_se
        Copper Contributor

        Christian_MontoyaI have checked with every powershell cmdlet i can think of, but the users are identical configured. I have compared with another user that was hired at the same time (2014). And also has been migrated from an onprem AD to an Azure AD only environment. The ad connect was removed a year ago ish. The Azure Domain Services was setup to support WVD preview in June.

        My user is on vaccation and I cannot get an answer if it still is an issue or if it has been solved by agent update.

         

        But, you should think of a rollback of the sid verification and do a rearchitect.
        If it is so much trouble for preview users, how will this work for GA?

        /Mr T-Bone

    • jeffb8's avatar
      jeffb8
      Brass Contributor
      Any update on a resolution? This is a hard blocker for us.

      The workaround only works with NEWLY CREATED users - meaning I cannot delete a Windows Server AD user, then recreate with the same username as an Azure AD sourced user. It seems like Windows Virtual Desktop permanently stores the upn and sid in its database....so deleting and recreating the user in Azure AD doesn’t help...
  • pau_pedroza's avatar
    pau_pedroza
    Copper Contributor

    Hola Christian_Montoya, thanks for the information.

     

    In my case, the scenario and behavior are the following:

     

    I have an Active Directory On-Premise synchronized to Azure Active Directory through ADConnect. In Azure I have implemented an Azure Active Directory Domanin Services (AADDS). Both directories are synchronized (ADDS and AADDS) through the AAD. I have password hashes replication set. I implemented a WVD HostPool.

     

    To perform tests with my synchronized users, I have also created Cloud users (AAD only).

     

    Both types of users allow me to connect the most virtual machines of the WVD HostPool through RDP. However, when I try to use the WebClient through the URL https://rdweb.wvd.microsoft.com/webclient/index.html both types of users can log in with their AADDS and AAD credentials. But by selecting applications to log in to them, only users created in the cloud (in AAD) can successfully start; synchronized users from ADDS get the error from the following image:

     

     

    The log error for synced users is the follow:

     

    ActivityId : e5eaa99a-0873-4e39-9063-d39e511c0000
    ActivityType : Connection
    StartTime : 12/08/2019 5:09:12 p. m.
    EndTime : 12/08/2019 5:09:18 p. m.
    UserName : F21212121@fvl.org.co
    RoleInstances : rdwebclient;mrs-eus2r0c002-rdgateway-prod-staging::RD2818788A5384;mrs-eus2r0c001-rdbroker-prod-staging::RD2818782C7086;≤WVDSH-0.fvl.org.co≥
    Outcome : Failure
    Status : Completed
    Details : {[ClientOS, Win32 Chrome 76.0.3809.100], [ClientVersion, 1.0.18.5], [ClientType, HTML], [PredecessorConnectionId, ]...}
    LastHeartbeatTime : 12/08/2019 5:09:19 p. m.
    Checkpoints : {LoadBalancedNewConnection, TransportConnected, TransportConnecting}
    Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo}

     

    Is the same error that you are describing in this post?

     

    Thanks a lot for your response.

     

    Paul Pedroza

     

     

  • MrTbone_se's avatar
    MrTbone_se
    Copper Contributor

    Christian_MontoyaAnother week without status update?

    Any progress of getting the WVD working again for all of us with Azure DS?

     

    I have only one user out of 30 pilots that get sid failure?

    • Cannot see any different attributes on this specific user compared with another user created same week.
    • Both accounts created 3 years ago in a local AD.
    • Synced to Azure AD with AD connect.
    • Local AD and Azure AD connect dismounted and retired 12 month ago.
    • Azure DS started for WVD 3 months ago.

     /Mr-Tbone

     

    /Torbjörn

    • Christian_Montoya's avatar
      Christian_Montoya
      Icon for Microsoft rankMicrosoft

      MrTbone_se  cititechs  jeffb8 : Thanks for being patient with us. As an update, we've identified the issue and have taken the first step to solving it, just that's a multi-phase fix/roll-out.

       

      Also, to address some of the feedback, in order to login users and work between cloud/on-prem accounts, there are only so many interfaces and returned values that the system gives us for logon. And, unfortunately, it wasn't as easy as rolling back because then we would then have other sets of users be unable to reconnect to existing sessions.

       

      Will hope to have another update soon regarding the full fix.

      • Richard Harrison's avatar
        Richard Harrison
        Copper Contributor

        Hi Christian_Montoya ,

         

        The validation pool seems like a good idea (https://docs.microsoft.com/en-gb/azure/virtual-desktop/create-validation-host-pool)

         

        However to make that really viable we need a schedule of upcoming releases to know when we should be validating (and potentially what specific areas to check). Is that something that is also going to be published?

         

        Some control of when updates are pushed would also be very useful - for example if we find an issue during validation can we prevent that being pushed to our environments or would if just get pushed anyway after some timeout period?

         

        Cheers,

        Rich

  • CraigSmith87's avatar
    CraigSmith87
    Copper Contributor

    Christian_Montoya 

     

    I am still experiencing this same issue you explain above with AADDS, however even when I create a Cloud native user I get the following error when trying to connect to Virtual Desktop / RemoteApp:-

     

    ErrorSource : RDAgent
    ErrorOperation : AddUserToRDUGroup
    ErrorCode : -2147467259
    ErrorCodeSymbolic : ConnectionFailedAdErrorNoSuchMember
    ErrorMessage : Failed to add user = ≤Cloud.User@teammetalogic.com≥ to group = Remote
    Desktop Users. Reason: Win32.ERROR_NO_SUCH_MEMBER
    ErrorInternal : False
    ReportedBy : RDGateway
    Time : 05/10/2019 17:05:32

     

    Windows Virtual Desktop DNS name - azure.DOMAIN.com was initially created because recommendation was to not have conflicting DNS names with tenant, which is DOMAIN.com

      • cwood0304's avatar
        cwood0304
        Copper Contributor

        Christian_MontoyaThank you for the updates. Will there be any additional steps for us to perform if we already have the host pools with validation set to true? Hopefully your target of this month remains on track, I have 2 clients that I would like to migrate to WVD as it, at least from the outset, looks to out perform their existing Citrix environment and a much lower cost.

Resources