Forum Discussion
[Announcement] Connectivity issues from synchronized users to VMs joined to AAD DS
Hi everyone, thanks for the continued testing of WVD. We’ve seen multiple connection errors with UPN when connecting to VMs joined to Azure AD Domain Services. We’ve done some preliminary investigations and figured out which scenarios are currently affected and which scenarios should continue to work.
Works
Logging into VM joined to Azure AD DS instance with Azure AD user sourced from Azure Active Directory (aka, New user created just in Azure AD).
Does not work (and investigating fix)
Logging into VM connected to Azure AD DS with Azure AD user sourced from Windows Server AD (aka, synchronized to Azure AD through Azure AD Connect).
You will see an error in the Diagnostics similar to below:
ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the
orchestration reply from the agent for user ≤user1@contoso.com≥ with Id
54a45a4c-41ad-4374-5e41-08d6e4d9acde. This scenario is not supported - we will not be able to
redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/16/2019 3:17:24 PM
Workaround
If your setup matches the description but you would still like to test, we suggest creating cloud users in Azure Active Directory for the time being.
Resolution
No current ETA, but working towards a fix.
How to check where your user is sourced from
You can navigate to the Azure AD portal or the Azure Active Directory blade in the Azure portal, then go to users:
Christian_Montoya : A fix has been rolled out to production for this issue.
- Richard HarrisonCopper Contributor
Christian_Montoya would be great to get an update on when this will be fixed - we were happily using this with this setup then in abruptly broke and we've been investigating on and off as time allowed ever since.
Now i stumbled across this issue (after finally figuring out how to debug what was going wrong). Do we have an ETA as this is now a total block on us using WVD.
I'm really disappointed as this is the 2nd major stumbling block - we've fully adopted Azure AD and the lack of support for Azure AD join is the other one.
This can be such a good solution it's just so frustrating.....
- cititechsCopper Contributor
Christian_Montoya Any update on this ? As others have reported we are at a stand still.
Synced from on-premise aren't working. I have tried validation pools and still no luck with Sync accounts.- jeffb8Brass ContributorSeems like we’re in store for a repeat of Azure RemoteApp.
- Christian_MontoyaMicrosoft
jeffb8 : Just to get more clarity, is it primarily this issue that you think will make it the next Azure RemoteApp? Is there other functionality that we're missing, should be focusing on, or should be fixing?
- evasseMicrosoft
Christian_Montoya : A fix has been rolled out to production for this issue.
- acalvertCopper Contributor
Fantastic!! I just successfully logged into a desktop session on an account that was previously not working due to the SID issue, no reconfiguration required beforehand, literally just tried the login again and it worked perfectly.
- rhythmnewtCopper Contributor
evasse great news! Things are working now. Thank you!
- Joakim WestinCopper ContributorGreat, will test - thanks.
- ashro2Copper Contributor
I know before the post that Cloud ID only is working but that is not valid for our production POC
i been testing with cloud ID only and that works , further more the issue with synced account, it looks like recently (because this was working before) you doing SID check between the azure synced account and the account in azure DS and that will not match. i'm wondering if the scenario without azure DS , i mean extending AD to the cloud and join the virtual desktop machines to the same domain will have the same issue or not for synced user account.
- Christian_MontoyaMicrosoft
ashro2 : Thanks for the clarifying question, but no, the issue will not replicate if you have a hybrid setup and are joining your virtual machines to the domain that is syncing up the users with Azure AD Connect. The primary issue lies in the SID check, and that Azure AD DS creates a new SID (by design) for the users that it creates on the managed domain services instance.
- ashro2Copper Contributor
Thanks i came to the same conclusion when looking ate the object SID in AAD and Azure DS and the Mismatch. i have 2 comments
1. this check was introduced recently because this scenario was working before , is it possible to trun off this check of the SID? I saw the feedback on the form suggested moving the pool to validation pool where you deployed a fix for the issue but looks like that is not working as well. so is there a way to trun off this check i can do in my side?
2. is there a way to modify the Azure DS object SID to match AAD ? we don't have much control over the object in Azure DS I realized ?
it will be great if we can manually turnoff this SID check manually at least for testing
- Integral-ConsultingCopper Contributor
Hi Christian,
I seem to be experiencing the exact same error in a test environment. However, the user is sourced from Azure Active Directory.
I would be happy to help troubleshoot since I have clients looking forward to WVD. below is some info that might be relevant and if you need identifying tenant info I'll be happy to send via PM:
ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤username≥ with Id <id>. This scenario is
not supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/28/2019 14:17:15TenantName : IC-WVD2
TenantGroupName : Default Tenant Group
HostPoolName : Desktop
FriendlyName :
Description :
Persistent : False
CustomRdpProperty :
MaxSessionLimit : 999999
LoadBalancerType : BreadthFirst
ValidationEnv : True
Ring : - MrTbone_seCopper Contributor
Hi,
We have just noticed the same problem in our test environment.
But a strange thing is that it only affects one of the 17 pilot users.
The users were synced from a local AD to Azure AD.
Azure AD connect sync was removed 1 year ago.
Azure AD services was setup to support the WVD environment.
Users envolved in pilot had to reset their passwords and could then logon.
But now, one user gets the error message:
SID value in the database is different than the value returned in the orchestration reply from the agent for user...
The Hostpool is in "validation"
<#
ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤a.b@domain.se≥ with Id b663bb3d-3f67-42e9-f891-08d6fb3eb712. This scenario is not supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 2019-07-18 09:36:42ErrorSource : Client
ErrorOperation : ClientRDPConnect
ErrorCode : 2147965400
ErrorCodeSymbolic :
ErrorMessage : Your computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance.
ErrorInternal : True
ReportedBy : Client
Time : 2019-07-18 09:36:42#>
- Christian_MontoyaMicrosoft
MrTbone_se : As it stands now, the issue stems from the SID's being synchronized as part of the Azure AD token and then receiving a different one through Azure AD Domain Services. Are you aware of any difference of properties between this 1 user and the other 16?
- MrTbone_seCopper Contributor
Christian_MontoyaI have checked with every powershell cmdlet i can think of, but the users are identical configured. I have compared with another user that was hired at the same time (2014). And also has been migrated from an onprem AD to an Azure AD only environment. The ad connect was removed a year ago ish. The Azure Domain Services was setup to support WVD preview in June.
My user is on vaccation and I cannot get an answer if it still is an issue or if it has been solved by agent update.
But, you should think of a rollback of the sid verification and do a rearchitect.
If it is so much trouble for preview users, how will this work for GA?/Mr T-Bone
- Alex IgnatenkoCopper Contributor
Christian_Montoya Same issue for one of test Azure-born user, the second one (Azure-born as well) still works fine.
- jeffb8Brass ContributorAny update on a resolution? This is a hard blocker for us.
The workaround only works with NEWLY CREATED users - meaning I cannot delete a Windows Server AD user, then recreate with the same username as an Azure AD sourced user. It seems like Windows Virtual Desktop permanently stores the upn and sid in its database....so deleting and recreating the user in Azure AD doesn’t help...- Christian_MontoyaMicrosoft
jeffb8 Richard Harrison Integral-Consulting rhythmnewt Alex Ignatenko : Hi everyone, apologies for this thread going a bit quiet. We've done investigations and started implementing the fix, but will take time to roll into production. Once I get a better date, I will reach out here so you all can continue your testing!
Since we roll out in phases, I'd highly recommend setting up a host pool for validation, as this will be the first place to test.
Again, thanks all and we're definitely trying to get this fix rolled out as soon as we can.
- pau_pedrozaCopper Contributor
Hola Christian_Montoya, thanks for the information.
In my case, the scenario and behavior are the following:
I have an Active Directory On-Premise synchronized to Azure Active Directory through ADConnect. In Azure I have implemented an Azure Active Directory Domanin Services (AADDS). Both directories are synchronized (ADDS and AADDS) through the AAD. I have password hashes replication set. I implemented a WVD HostPool.
To perform tests with my synchronized users, I have also created Cloud users (AAD only).
Both types of users allow me to connect the most virtual machines of the WVD HostPool through RDP. However, when I try to use the WebClient through the URL https://rdweb.wvd.microsoft.com/webclient/index.html both types of users can log in with their AADDS and AAD credentials. But by selecting applications to log in to them, only users created in the cloud (in AAD) can successfully start; synchronized users from ADDS get the error from the following image:
The log error for synced users is the follow:
ActivityId : e5eaa99a-0873-4e39-9063-d39e511c0000
ActivityType : Connection
StartTime : 12/08/2019 5:09:12 p. m.
EndTime : 12/08/2019 5:09:18 p. m.
UserName : F21212121@fvl.org.co
RoleInstances : rdwebclient;mrs-eus2r0c002-rdgateway-prod-staging::RD2818788A5384;mrs-eus2r0c001-rdbroker-prod-staging::RD2818782C7086;≤WVDSH-0.fvl.org.co≥
Outcome : Failure
Status : Completed
Details : {[ClientOS, Win32 Chrome 76.0.3809.100], [ClientVersion, 1.0.18.5], [ClientType, HTML], [PredecessorConnectionId, ]...}
LastHeartbeatTime : 12/08/2019 5:09:19 p. m.
Checkpoints : {LoadBalancedNewConnection, TransportConnected, TransportConnecting}
Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo}Is the same error that you are describing in this post?
Thanks a lot for your response.
Paul Pedroza
- jeffb8Brass Contributor
- MrTbone_seCopper Contributor
Christian_MontoyaAnother week without status update?
Any progress of getting the WVD working again for all of us with Azure DS?
I have only one user out of 30 pilots that get sid failure?
- Cannot see any different attributes on this specific user compared with another user created same week.
- Both accounts created 3 years ago in a local AD.
- Synced to Azure AD with AD connect.
- Local AD and Azure AD connect dismounted and retired 12 month ago.
- Azure DS started for WVD 3 months ago.
/Mr-Tbone
/Torbjörn
- Christian_MontoyaMicrosoft
MrTbone_se cititechs jeffb8 : Thanks for being patient with us. As an update, we've identified the issue and have taken the first step to solving it, just that's a multi-phase fix/roll-out.
Also, to address some of the feedback, in order to login users and work between cloud/on-prem accounts, there are only so many interfaces and returned values that the system gives us for logon. And, unfortunately, it wasn't as easy as rolling back because then we would then have other sets of users be unable to reconnect to existing sessions.
Will hope to have another update soon regarding the full fix.
- Richard HarrisonCopper Contributor
Hi Christian_Montoya ,
The validation pool seems like a good idea (https://docs.microsoft.com/en-gb/azure/virtual-desktop/create-validation-host-pool)
However to make that really viable we need a schedule of upcoming releases to know when we should be validating (and potentially what specific areas to check). Is that something that is also going to be published?
Some control of when updates are pushed would also be very useful - for example if we find an issue during validation can we prevent that being pushed to our environments or would if just get pushed anyway after some timeout period?
Cheers,
Rich
- CraigSmith87Copper Contributor
I am still experiencing this same issue you explain above with AADDS, however even when I create a Cloud native user I get the following error when trying to connect to Virtual Desktop / RemoteApp:-
ErrorSource : RDAgent
ErrorOperation : AddUserToRDUGroup
ErrorCode : -2147467259
ErrorCodeSymbolic : ConnectionFailedAdErrorNoSuchMember
ErrorMessage : Failed to add user = ≤Cloud.User@teammetalogic.com≥ to group = Remote
Desktop Users. Reason: Win32.ERROR_NO_SUCH_MEMBER
ErrorInternal : False
ReportedBy : RDGateway
Time : 05/10/2019 17:05:32Windows Virtual Desktop DNS name - azure.DOMAIN.com was initially created because recommendation was to not have conflicting DNS names with tenant, which is DOMAIN.com
- Christian_MontoyaMicrosoft
CraigSmith87 : Where was that recommendation made (to not match your AAD tenant name)?
- cwood0304Copper Contributor
Christian_MontoyaThank you for the updates. Will there be any additional steps for us to perform if we already have the host pools with validation set to true? Hopefully your target of this month remains on track, I have 2 clients that I would like to migrate to WVD as it, at least from the outset, looks to out perform their existing Citrix environment and a much lower cost.