@gdglee We've exactly this same issue, we tried to open a case, but it's not supported for preview services :(

@P_haem good to know we're not the only ones.

@P_haem So were you able to resolve?

We are also experiencing this issue.@gdglee 

@gdglee - Same thing on this end. Started happening around 2-3p EST on Friday 06/28. This host pool was perfectly fine prior to this. 

We're having this issue as well. I can RDP into my WDV VMs, but trying to run published apps (browser or RDP shortcut) fail with a connection error.

Same here. This seems to be a widespread problem. For us started last week on Thursday.

@gdglee: thank you for reporting this.  We have introduced additional security checks when resolving user identities. In some environments this leads to restricted connectivity due to legacy set-ups. We are reviewing the issue and will update once a solution is available.

Please ensure that you follow as well the following best practice:

- Have a validation host pool set-up to escalate issues before they hit the majority of your users. 

- Set-up service alerts to receive health advisories and notification for your subscription.

@gdglee 

Same here.

For us started last week on Friday.

@Eva Seydl Thank you for your answer! Do you have any resolution date ? And is there any way to to go back to the previous version ?

@Eva Seydl 

We are also having the same issue, Raised ticket to MS Support team, they said "We cannot not provide support for Windows Virtual Desktop because it’s in preview so unfortunately we cannot answer your questions, or assist with issues you are experiencing."

Also, i have received Service alert from Microsoft "Windows Virtual Desktop - East US 2 - Exploring Mitigation" But there is no ETA As of now.

@Eva Seydl - so what do you suggest we do with host pools that are experiencing this issue in the meantime? We have a high visibility POC at a very large client that this is interrupting. Telling them their host pool is ruined  and needs to be redployed won't go over so well. 

Will redeploying even fix this, without intervention on your side? 

Additionally, can you provide some more detail on what these security checks are? Any details on what leads to this condition from a "legacy setup" perspective? 

@Eva Seydl-  Would you do me a favor? We have redeployed 3 times to fix this, but didn't fix.....

@Raja R 

Please set-up a validation pool as we have a fix deployed to the validation pools. Learn here how to set those up: https://docs.microsoft.com/en-us/azure/virtual-desktop/create-validation-host-pool

We recommend to make use of Azure Service Health Alerts where you will be notified when the fix is available for production: https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-service-alerts 

Hi @Eva Seydl that is good to know. I changed my hostpool to a validationenvironment. The agent is upgraded: AgentVersion : 1.0.833.5

Unfortunately I see the same behaviour still. Not able to connect, same error.

@Deleted Please review our troubleshooting section under https://aka.ms/wvdpreview. We have articles on that as well.

@Eva SeydlAwesome, it worked perfectly. 

Thanks for the quick fix.

@Eva Seydl I created a new hostpool as validationenvironment, to see if that would make difference. The agent is 1.0.833.5 but the error remains the same. In an earlier reply you mentioned a legacy setup. Could you elaborate on that? What could we setup differently to make this work again?

Thanks, Gerrit

We were able to set up the validation hostpool, but the internal error occurred message still pops up.@Eva Seydl 

@Eva Seydl 

Maybe relevant to know from our setup. Users created in the Azure AD as cloud only are able to connect, users synchronized from our on-premise AD are not.

@JanPijnacker @Eva Seydl  This is true for us as well.

@Eva Seydl - anything new on this? All of my client's IDs are sourced from on-prem AD > AADC > AAD. The error remains on my existing pools, and based on the feedback here - suspect it will with a validation pool deployment. Moving to cloud only IDs isn't really an option 

Can you provide any more detail on what leads to this condition? 

This started working for me yesterday without any intervention on our part. I did notice that the RDS Infrastructure Agent updated on 7/3/19 to 1.0.833.5

@richiewrt I just had the same thing happen on this end. I'm super interested to see the RCA for this. 

@Eva Seydl Any update?

 @Eva Seydl 
For us its the same as for the others. Only some InCloud accounts are able to access Virtual Desktop. The validation pool is setup. InCloud as well as AAD synced Accounts get the following error:

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user
≤Firstname.Surname@domain.com≥ with Id xxxxxxxx-yyyy-zzzz-xxxx-xxxxyyyyzzzz. This scenario is not supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 11.07.2019 10:42:56 

@Eva Seydl Is there any news on the fix? We're unfortunately dead in the water here with synced accounts.

Please review our troubleshooting guide for domain join issues: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-set-up-issues

Do we know if there is a fix for this yet.  I have installed a new Validation Pool and still the same error.  My agent is 1.0.833.5

@Eva Seydl It's been 2.5 weeks now. Can you get some ETA on the fix for this problem? Neither validation or production environment works!!

TenantGroupName : Default Tenant Group
HostPoolName : MyTest_HostPool
FriendlyName : My Test Host Pool
Description :
Persistent : False
CustomRdpProperty :
MaxSessionLimit : 999999
LoadBalancerType : BreadthFirst
ValidationEnv : True
Ring :

Still getting the same SID error:

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the
orchestration reply from the agent for user ≤rhythmnewt@rhythmnewt.com≥ with Id
85a45a4c-413d-4074-2e41-08d6e4d9abe8. This scenario is not supported - we will not be able to
redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/16/2019 3:08:54 PM

User activity log

ActivityId : 10dd46a2-4836-49f1-8f89-face053b0000
ActivityType : Connection
StartTime : 7/16/2019 3:08:54 PM
EndTime : 7/16/2019 3:08:54 PM
UserName : rhythmnewt@rhythmnewt.com
RoleInstances : mrs-eus2r0c001-rdgateway-prod::RD2818785C114D;mrs-eus2r0c002-rdbroker-prod::RD2818788A0588;≤rmrvw-0
.rhythmnewt.com≥
Outcome : Failure
Status : Completed
Details : {[ClientOS, ], [ClientVersion, ], [ClientType, ], [PredecessorConnectionId, ]...}
LastHeartbeatTime : 7/16/2019 3:10:26 PM
Checkpoints : {LoadBalancedNewConnection, TransportConnecting, TransportConnected, RdpStackDisconnect...}
Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo}

@rhythmnewt We would like to understand more about your domain setup. We observe that SID which VM resolves the user to doesn't match the SID we are getting from his AAD token. Can you please give brief overview of your domain setup and how it is connected to AAD? Do you have multiple domains?

@Joe Flynn

Do we know if there is a fix for this yet.  I have installed a new Validation Pool and still the same error.  My agent is 1.0.833.5

---

@Roop_WVD I sent you identifiable details about my user account and domain in a PM.

My setup is as follows On-Prem AD -> Ad Sync -> AAD -> Azure ADDS

I do have password write-back enabled.

I do NOT have multiple On-Prem AD instances.

I do have multiple stand-alone AAD (cloud-only) instances.

VM in question is domain-joined to my Azure ADDS instance and I have no problem authenticating into it with my domain credentials.

Thank you for looking into this.

@Roop_WVD  I hope you look into this in a more general way, as we are many with the same problem... Our setup is exactly the same as @rhythmnewt , so please express your findings here for us all to see.. :)

@rhythmnewt Thanks for sharing this detail. Its very helpful to understand the setup. We have recently introduced a change where we need User SID's from VM and token to match before we allocate a session. There seems to be a case with AADDS where they may not always match. We are currently investigating how do we handle these scenarios. I will keep you posted on progress.

@Mtollex70 : Thanks for letting us know that you have similar setup and yes we will look into it in a general way.

---

@Mtollex70 wrote:

@Roop_WVD  I hope you look into this in a more general way, as we are many with the same problem... Our setup is exactly the same as @rhythmnewt , so please express your findings here for us all to see.. :)

---

We have identified a bug when are in this setup. This is now documented here : https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Announcement-Connectivity-issues-from...  . We are actively working to fix this. 

@Roop_WVDGlad to hear there is a fix underway. Can you provide us at least a rough ETA please. We are currently investigating moving some of our systems to WVD but right now our investigations and POCs have had to go on hold because of the broken resource templates and now this.

Can you also please comment as to when this service will be covered under full support and SLA if clients such as ourselves are looking to go to market,

Thanks in advance

Mark