Forum Discussion

GuyMathieuSupport's avatar
GuyMathieuSupport
Copper Contributor
Jul 07, 2023

Azure Virtual Desktop authentication loop

Hello,

 

I have created my first Azure Virtual Desktop deployment. When I try to connect to a session host using the Azure Virtual Desktop Preview client, I get in an authentication loop where I get prompted to select my Azure AD account.

 

The problem is similar to what is documented here AzureAD SSO appears to break with the exception that my account is not member of the local Administrators group and that I am in a pure Azure AD environment (there is no onprem ADDS or Azure ADDS in my technological environment).

 

Here are the details of my setup:

 

In Azure AD web console:

- Created UserGroup1

- Added User1 to UserGroup1

- Assigned "Virtual Machine User Login" role to UserGroup1 on Resource group where the below Azure Virtual Desktop resources are created.

 

- Created a Hostpool (Personal desktop)

- Added 2 Session host to Hostpool (Azure AD Joined, Intune enrolled, Automatic user assignment)

 

- Created Application group

- Assigned Application group to Hostpool

- Assigned a UserGroup1 to Application group

 

- Created a Workspace

- Assigned Application group to Workspace

 

- Selected "Connection will use Azure AD authentication to provide single sign-on" in Connection information tab of RDP Properties of Hostpool

- Added targetisaadjoined:i:1 in Advanced tab of RDP Properties of Hostpool

 

On client computer:

- Installed Azure Virtual Desktop Preview app from Microsoft Store (version 1.2.4419.0)

- Launched Azure Virtual Desktop Preview app (connected to Workspace automatically, Session host appears)

- Tried to access Session host (At this point, I enter in an authentication loop where I have to select my Azure AD account.)

 

- Launched Microsoft Edge (Azure AD account profile selected)

- Accessed https://client.wvd.microsoft.com/arm/webclient/v2/index.html (connected to Workspace automatically, Session host appears)

- Tried to access Session host (At this point, I get the "Sign in failed. Please check your username and password and try again." error message. I am unable to enter other credential information since SSO is enabled. Access to other web resources using Azure AD SSO are working proving that my credentials information are OK.)

 

Things I have checked:

- User1 get automatically assigned to the first Session host in the Host pool

- I can log on using the local Virtual Machine administrator if I disable Azure SSO by selecting "Connection will not use Azure AD single sign-on" in Connection information tab of RDP Properties of Hostpool

- Legacy per-user multi-factor authentication sign-in method is disabled

- Azure Windows VM Sign-In (372140e0-b3b7-4226-8ef9-d57986796201) and Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) are excluded from MFA Conditional Access policy (logs do not show that the user authentication is blocked by MFA)

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID=1 on Session host and client computer

- Session host can reach the URL listed in the "Troubleshoot deployment problems" section of Log in to a Windows virtual machine in Azure by using Azure AD including passwordless

- Client computer meets the requirements described in the "Access Azure AD-joined VMs" section of Deploy Azure AD-joined virtual machines in Azure Virtual Desktop

- Intune does not apply any configuration on Session host (Session host shows as compliant in Intune console)

 

 

I perused Microsoft documentation, and I cannot find why SSO connection to Session host is not working with the setup described above. Anyone knows which configuration might be missing?

 

Thanks

  • Hi GuyMathieuSupport,

    Can you try this action plan?

    1. Rename the folder "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" to "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old"
    2. Login to Windows. A clean Microsoft.AAD.BrokerPlugin-folder should be created
    3. Try to sign-in again

    Please note that renaming this folder requires the user to be logged off. The renaming can for example be done via another (administrative) account.

    • GuyMathieuSupport's avatar
      GuyMathieuSupport
      Copper Contributor

      MathieuVandenHautte Thanks for the quick response. I renamed the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy directory using a local administrator account while the user was not logged in. Unfortunately, it did not solve my problem. I still can't log in on a Azure Virtual Desktop.

      • MathieuVandenHautte's avatar
        MathieuVandenHautte
        Steel Contributor

        Hi GuyMathieuSupport,

        Can you check the event viewer logs on the Windows clients for error codes regarding the Azure Virtual Desktop Client?


        I would also recommend using the GA Azure Virtual Desktop Client in production (not the Microsoft Store public preview version):
        https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows

        If this does not solve the issue, please contact Azure support. They can run extended diagnostics in the backend to determine the cause of your issue.

Resources