Forum Discussion

Christian_Montoya's avatar
Christian_Montoya
Icon for Microsoft rankMicrosoft
Jul 17, 2019
Solved

[Announcement] Connectivity issues from synchronized users to VMs joined to AAD DS

Hi everyone, thanks for the continued testing of WVD. We’ve seen multiple connection errors with UPN when connecting to VMs joined to Azure AD Domain Services. We’ve done some preliminary investigati...
Christian_Montoya's avatar
Christian_Montoya
Icon for Microsoft rankMicrosoft
Jul 18, 2019

ashro2 : Thanks for the clarifying question, but no, the issue will not replicate if you have a hybrid setup and are joining your virtual machines to the domain that is syncing up the users with Azure AD Connect. The primary issue lies in the SID check, and that Azure AD DS creates a new SID (by design) for the users that it creates on the managed domain services instance.

ashro2's avatar
ashro2
Copper Contributor
Jul 19, 2019

Christian_Montoya 

Thanks   i came to the same conclusion when looking ate the object SID in AAD and Azure DS and the Mismatch. i have 2 comments 

1. this check was introduced recently because this scenario was working before , is it possible to trun off this check of the SID? I saw the feedback on the form suggested moving the pool to validation pool where you deployed a fix for the issue but looks like that is not working as well. so is there a way to trun off this check i can do in my side?

 

2. is there a way to modify the Azure DS object SID to match AAD ? we don't have much control over the object in Azure DS I realized ?

 

it will be great if we can manually turnoff this SID check manually at least for testing

  • Christian_Montoya's avatar
    Christian_Montoya
    Icon for Microsoft rankMicrosoft
    Jul 19, 2019

    ashro2 : Unfortunately, it's not quite as simple as turning off the check since this check was implemented to stabilize the reconnection scenarios so that users get redirected back to a previously existing session (as opposed to get a new session).

     

    I'm not sure if there's a way to manipulate the SIDs, but we're investigating all possible options right now.

     

    Thank you for the feedback and dialogue though. We want to unblock testing, but also do not want to leave users in a bad state.

    • Bazam Chekrian Valappu's avatar
      Bazam Chekrian Valappu
      Copper Contributor
      Jul 23, 2019

      Christian_Montoya So no workaround for this scenario since the SID check is active now and according to you no ETA too. that's a bit disappointing! 

      • Christian_Montoya's avatar
        Christian_Montoya
        Icon for Microsoft rankMicrosoft
        Jul 23, 2019

        Bazam Chekrian Valappu : Yes, we solved one failing behavior but now it's hindering another, but definitely working to achieve both.

Resources