Forum Discussion
"username and password incorrect" error in the session host deployed with AVD Entra ID Joined
I found an error in the session host deployed with AVD with Entra ID joined recently.
When a user tries to connect to the session host for the first time using Remote Desktop Client or Webclient, they are not connected and receive a message “username and password incorrect”.
However, they can connect to the session host normally from the second connection.
This problem was first discovered in the customer’s tenant.
I also confirmed that this problem was reproduced in several of my test tenants.
I tried various troubleshooting methods to solve the problem, but it was not resolved.
I have opened an MS case to investigate the issue.
According to the MS engineer’s response, this issue has been confirmed by many people, and they are currently taking measures to resolve the issue.
Has anyone experienced this problem? And has anyone found a solution?
5 Replies
I am sharing the response I received from my request for support from Microsoft
• The eSTS BRS rollout was completed on Friday evening (12/01) to revert the feature rolled out on early October, which skipped writing the DPAPI encryption key to the old property.
• The remaining failures seem to be related to replication delays in MSODS, which is getting auto-mitigated after a while.
• ESTS provisions a DPAPI-enc key for AAD User via MsGraph and the update may take some time to reflect for DPX. After replication gets completed, the issue should stop occurring.
• For new users, the re-authentication prompt might be expected due to the usage of a temporary access pass (TAP) with one-time use only. The credential validity is limited, and a new re-auth needs to be performed with another valid credential after one-time use.
• No mitigation is required as the issue is getting auto-mitigated after a while. For new users, it is recommended to use a TAP that is not set as one-time, but rather time-bound, to avoid the re-authentication prompt.
It has been confirmed that the current problem symptom has been resolvedCan you check the Security logs in Event Viewer, and try it again with a test user without MFA?
this is recorded in the security log
I searched about this, but couldn't find anything that helped solve the problem
---------------------------------------------------------------------------------------------------
An account failed to log on.Subject:Security ID: SYSTEMAccount Name: test-sh-0$Account Domain: WORKGROUPLogon ID: 0x3E7Logon Type: 10Account For Which Logon Failed:Security ID: NULL SIDAccount Name: -Account Domain: -Failure Information:Failure Reason: An Error occured during Logon.Status: 0xC000006DSub Status: 0xC000023CProcess Information:Caller Process ID: 0x744Caller Process Name: C:\Windows\System32\svchost.exeNetwork Information:Workstation Name: -Source Network Address: 0.0.0.0Source Port: 0Detailed Authentication Information:Logon Process: User32Authentication Package: NegotiateTransited Services: -Package Name (NTLM only): -Key Length: 0This event is generated when a logon request fails. It is generated on the computer where access was attempted.The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).The Process Information fields indicate which account and process on the system requested the logon.The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The authentication information fields provide detailed information about this specific logon request.- Transited services indicate which intermediate services have participated in this logon request.- Package name indicates which sub-protocol was used among the NTLM protocols.- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.The event is triggered because of either a bad username or authentication information. Likely it would be invalid authentication information, but not in the case if it works after the second try.
There is another way to extract logs or even to fix the issue:
- Login to Windows app remote web client (local login is not possible)
- Link -> https://windows.cloud.microsoft/
- Connect to the AVD and authenticate
- If the authentication fails, then you can extract a txt file from the extract logs option beneath the authentication failure pop-up
Reference:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625#:~:text=0XC000006D%20%E2%80%93%20%22This%20is%20either%20due%20to%20a%20bad%20username%20or%20authentication%20information%22%20for%20critical%20accounts%20or%20service%20accounts.%0AEspecially%20watch%20for%20a%20number%20of%20such%20events%20in%20a%20row.
- Login to Windows app remote web client (local login is not possible)
