Home

User cant login when UserPrincipalName is reused due to azure ad delete+add

%3CLINGO-SUB%20id%3D%22lingo-sub-905401%22%20slang%3D%22en-US%22%3EUser%20cant%20login%20when%20UserPrincipalName%20is%20reused%20due%20to%20azure%20ad%20delete%2Badd%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-905401%22%20slang%3D%22en-US%22%3E%3CP%3EScenario%3A%3C%2FP%3E%3CP%3E1.%20Add%20user%20a%40mysite.com%20in%20azure%20ad%20and%20replicated%20to%20Azure%20AD%20DS%20getting%20SID%20X%3C%2FP%3E%3CP%3E2.%20Add%20user%20to%20app%20group%3C%2FP%3E%3CP%3E3.%20User%20logs%20in%20successfully%20(required%20for%20error%20to%20occur%20in%20step%208)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E4.%20Remove%20user%20from%20app%20group%3C%2FP%3E%3CP%3E5.%20Delete%20user%26nbsp%3Ba%40mysite.com%20in%20azure%20ad%3C%2FP%3E%3CP%3E6.%20Add%26nbsp%3Ba%40mysite.com%20in%20azure%20ad%26nbsp%3Band%20replicated%20to%20Azure%20AD%20DS%20getting%20SID%20Y%3C%2FP%3E%3CP%3E7.%20Add%20user%20to%20app%20group%3C%2FP%3E%3CP%3E8.%20User%20cant%20log%20in%20because%20he%20logged%20in%20with%20SID%20Y%20from%20step%206%20and%20WWD%20remeber%20SID%20X%20from%20step%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20feels%20like%20a%20bug%20in%20WVD.%20Is%20there%20some%20workaround%20that%20allows%20me%20to%20tell%20WVD%20that%20the%20old%20SID%20is%20no%20longer%20active%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CUsers%5Cjohan%26gt%3B%20(Get-RdsDiagnosticActivities%20-TenantName%20%22not-my-tenant-name%22%20-ActivityId%20masked-activity-id%20-Detailed).Errors%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EErrorSource%20%3A%20RDBroker%3CBR%20%2F%3EErrorOperation%20%3A%20OrchestrateSessionHost%3CBR%20%2F%3EErrorCode%20%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedUserSIDInformationMismatch%3CBR%20%2F%3EErrorMessage%20%3A%20User%20a%40mysite.com%3A%20SID%20information%20in%20the%20database%3CBR%20%2F%3E'X'%20does%20not%20match%20SID%20information%20returned%20by%20agent%3CBR%20%2F%3E'Y'%20in%20the%20orchestration%20reply..%20This%20scenario%20is%20not%3CBR%20%2F%3Esupported%20-%20we%20will%20not%20be%20able%20to%20redirect%20the%20user%20session.%3CBR%20%2F%3EErrorInternal%20%3A%20False%3CBR%20%2F%3EReportedBy%20%3A%20RDGateway%3CBR%20%2F%3ETime%20%3A%2010%2F10%2F2019%209%3A06%3A20%20AM%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-906121%22%20slang%3D%22en-US%22%3ERe%3A%20User%20cant%20login%20when%20UserPrincipalName%20is%20reused%20due%20to%20azure%20ad%20delete%2Badd%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906121%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F309051%22%20target%3D%22_blank%22%3E%40Johan_Eriksson%3C%2FA%3E%26nbsp%3B%3A%20This%20is%20related%20to%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FAnnouncement-Connectivity-issues-from-synchronized-users-to-VMs%2Fm-p%2F759642%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FAnnouncement-Connectivity-issues-from-synchronized-users-to-VMs%2Fm-p%2F759642%3C%2FA%3E%26nbsp%3B.%20Essentially%2C%20since%20it's%20a%20new%20user%20account%2C%20the%20user%20gets%20a%20new%20SID%20but%20it%20collides%20with%20a%20cached%20mapping%20we%20had.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20working%20on%20a%20fix%20that%20will%20be%20out%20this%20month.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Johan_Eriksson
Contributor

Scenario:

1. Add user a@mysite.com in azure ad and replicated to Azure AD DS getting SID X

2. Add user to app group

3. User logs in successfully (required for error to occur in step 8)

4. Remove user from app group

5. Delete user a@mysite.com in azure ad

6. Add a@mysite.com in azure ad and replicated to Azure AD DS getting SID Y

7. Add user to app group

8. User cant log in because he logged in with SID Y from step 6 and WWD remeber SID X from step 1

 

This feels like a bug in WVD. Is there some workaround that allows me to tell WVD that the old SID is no longer active? 

 

PS C:\Users\johan> (Get-RdsDiagnosticActivities -TenantName "not-my-tenant-name" -ActivityId masked-activity-id -Detailed).Errors


ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : User a@mysite.com: SID information in the database
'X' does not match SID information returned by agent
'Y' in the orchestration reply.. This scenario is not
supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 10/10/2019 9:06:20 AM

1 Reply

@Johan_Eriksson : This is related to this article: https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Announcement-Connectivity-issues-from... . Essentially, since it's a new user account, the user gets a new SID but it collides with a cached mapping we had.

 

We're working on a fix that will be out this month.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies