Forum Discussion
Christian_Montoya
Microsoft
Microsoft[Announcement] Connectivity issues from synchronized users to VMs joined to AAD DS
Hi everyone, thanks for the continued testing of WVD. We’ve seen multiple connection errors with UPN when connecting to VMs joined to Azure AD Domain Services. We’ve done some preliminary investigati...
Christian_Montoya : A fix has been rolled out to production for this issue.
I know before the post that Cloud ID only is working but that is not valid for our production POC
i been testing with cloud ID only and that works , further more the issue with synced account, it looks like recently (because this was working before) you doing SID check between the azure synced account and the account in azure DS and that will not match. i'm wondering if the scenario without azure DS , i mean extending AD to the cloud and join the virtual desktop machines to the same domain will have the same issue or not for synced user account.
Christian_MontoyaMicrosoft
Microsoftashro2 : Thanks for the clarifying question, but no, the issue will not replicate if you have a hybrid setup and are joining your virtual machines to the domain that is syncing up the users with Azure AD Connect. The primary issue lies in the SID check, and that Azure AD DS creates a new SID (by design) for the users that it creates on the managed domain services instance.
Thanks i came to the same conclusion when looking ate the object SID in AAD and Azure DS and the Mismatch. i have 2 comments
1. this check was introduced recently because this scenario was working before , is it possible to trun off this check of the SID? I saw the feedback on the form suggested moving the pool to validation pool where you deployed a fix for the issue but looks like that is not working as well. so is there a way to trun off this check i can do in my side?
2. is there a way to modify the Azure DS object SID to match AAD ? we don't have much control over the object in Azure DS I realized ?
it will be great if we can manually turnoff this SID check manually at least for testing
- Christian_Montoya
ashro2 : Unfortunately, it's not quite as simple as turning off the check since this check was implemented to stabilize the reconnection scenarios so that users get redirected back to a previously existing session (as opposed to get a new session).
I'm not sure if there's a way to manipulate the SIDs, but we're investigating all possible options right now.
Thank you for the feedback and dialogue though. We want to unblock testing, but also do not want to leave users in a bad state.
Christian_Montoya So no workaround for this scenario since the SID check is active now and according to you no ETA too. that's a bit disappointing!
