Forum Discussion
Azure Virtual Desktop authentication loop
Hello, I have created my first Azure Virtual Desktop deployment. When I try to connect to a session host using the Azure Virtual Desktop Preview client, I get in an authentication loop where I ge...
Hi GuyMathieuSupport,
Can you try this action plan?
1. Rename the folder "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" to "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old"
2. Login to Windows. A clean Microsoft.AAD.BrokerPlugin-folder should be created
3. Try to sign-in again
Please note that renaming this folder requires the user to be logged off. The renaming can for example be done via another (administrative) account.
MathieuVandenHautte Thanks for the quick response. I renamed the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy directory using a local administrator account while the user was not logged in. Unfortunately, it did not solve my problem. I still can't log in on a Azure Virtual Desktop.
Hi GuyMathieuSupport,
Can you check the event viewer logs on the Windows clients for error codes regarding the Azure Virtual Desktop Client?
I would also recommend using the GA Azure Virtual Desktop Client in production (not the Microsoft Store public preview version):
https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows
If this does not solve the issue, please contact Azure support. They can run extended diagnostics in the backend to determine the cause of your issue.Using the GA client does not solve the problem. There is no error in the Event Viewer on the client. I can only log on with the local admin account. To do so, I need to disable Azure AD SSO.
I notice that an Event ID 4625 is logged in the Security event log of the VM every time I try to connect with an Azure AD account. The Failure Information of the event are:
Failure reason: An Error occured during Logon
Status: 0xC000006D
Sub Status: 0xC0000250
I have not found any useful information regarding the SubStatus. (https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)
I am unable to log on with an Azure AD account even when SSO is disabled. I tried these different ways to enter the username, and none are working:
- email address removed for privacy reasons
- AzureAD\email address removed for privacy reasons
- tenant.onmicrosoft.com\email address removed for privacy reasons
- tenant.onmicrosoft.com\email address removed for privacy reasons
I know the VM is Azure AD joined as there is a device object in AzureAD that has the name of the SessionHost. There is a "Client Authentication" certificate issued by "MS-Organization-Access" which is issued to the GUID corresponding to the Device ID of the VM's device object in Azure AD.
The user is a member of the "Remote Desktop Users" local group in the VM.
As you have suggested, I'll contact Microsoft to try to solve this issue.
Thanks for your time MathieuVandenHautteDid you manage to resolve this , exactly the same issue in every way
All works if you disable SSO
Checked and rechecked all requirements for SSO example Kerbros server ,
It goes into an authentication loop.
Did exclude Azure Virtual Desktop VM and RDP from GA.
Did check SSO pre-requisites
Condigured Virtual Machine User Login for Azure AD join AVD
Checked hostpool and have rdsaadauth:i:1 & targetisaadjoined:i:1 under advanced
My test account is not a protected user in AD and has no adin roles - its a normal user
Driving me nuts
