SOLVED

AVD: Authentication fails for AAD user (but works for local admin)

%3CLINGO-SUB%20id%3D%22lingo-sub-3027249%22%20slang%3D%22en-US%22%3EAVD%3A%20Authentication%20fails%20for%20AAD%20user%20(but%20works%20for%20local%20admin)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3027249%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20setup%20a%20basic%20AVD%20scenario%20with%20a%20personal%20Host%20pool%20and%20single%20VM%20which%20was%20defined%20to%20be%20AAD%20joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Edsregcmd%20%2Fstatus%3C%2FPRE%3E%3CP%3Econfirms%20it%20worked%20and%20the%20device%20shows%20up%20in%20AAD%20and%20MEM%20as%20joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20user%20is%20a%20cloud-only%20account%20and%20global%20admin.%20The%20%22Virtual%20Machine%20Adminsitrator%20Login%22%20role%20was%20given%20in%20addition%20-%20just%20to%20be%20sure.%20He%20was%20assigned%20to%20the%20application%20group%20containing%20the%20%22SessionDesktop%22%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Farm%2Fwebclient%2Findex.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWeb%20Client%3C%2FA%3E%26nbsp%3Bshows%20the%20application%2C%20but%20login%20doesn't%20work%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CleanShot%202021-12-02%20at%2014.04.03.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331219iDFA9DF7F8246FBFB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CleanShot%202021-12-02%20at%2014.04.03.png%22%20alt%3D%22CleanShot%202021-12-02%20at%2014.04.03.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20MacOS%20Remote%20Desktop%20client%20can%20find%20the%20app%2C%20but%20won't%20connect%20either%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CleanShot%202021-12-02%20at%2014.02.26.png%22%20style%3D%22width%3A%20270px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331218i407B7474F0672E4E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CleanShot%202021-12-02%20at%2014.02.26.png%22%20alt%3D%22CleanShot%202021-12-02%20at%2014.02.26.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20what%20I%20tried%20and%20the%20related%20result%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EDisabling%20NLA%20on%20the%20VM%20and%20restart%3C%2FSTRONG%3E%3A%20No%20change%3C%2FLI%3E%3CLI%3E%3CSTRONG%3ELogging%20in%20as%20local%20admin%20using%20AVD%20Web%20%2F%20macOS%20client%3C%2FSTRONG%3E%3A%20works%3C%2FLI%3E%3CLI%3E%3CSTRONG%3ELogging%20into%20the%20machine%20as%20target%20user%20directly%20via%20RDP%3C%2FSTRONG%3E%3A%20works%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20one%20is%20especially%20interesting.%20From%20my%20limited%20understanding%20it%20seemed%20that%20the%20%22AVD%20gateway%20component%22%20was%20blocking%20a%20login%20with%20the%20AAD%20user.%20So%20I%20logged%20into%20the%20VM%20again%20and%20had%20a%20look%20at%20the%20event%20look.%20The%20interesting%20events%20were%20those%20two%20errors%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CleanShot%202021-12-02%20at%2014.14.26.png%22%20style%3D%22width%3A%20518px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331221i18393327C8BC39B8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CleanShot%202021-12-02%20at%2014.14.26.png%22%20alt%3D%22CleanShot%202021-12-02%20at%2014.14.26.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CleanShot%202021-12-02%20at%2014.17.07.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F331224iD461BD2969FCD999%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CleanShot%202021-12-02%20at%2014.17.07.png%22%20alt%3D%22CleanShot%202021-12-02%20at%2014.17.07.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20idea%20why%20I%20can't%20log%20into%20the%20machine%20using%20the%20AVD%20feed%20or%20web%20client%20when%20using%20my%20AAD%20cloud-only%20user%20-%20but%20why%20it%20works%20when%20I%20directly%20log%20into%20the%20VM%20using%20the%20exact%20same%20user%20and%20%22AzureAD%5Cmy-up%22%20as%20username%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3027461%22%20slang%3D%22en-US%22%3ERe%3A%20AVD%3A%20Authentication%20fails%20for%20AAD%20user%20(but%20works%20for%20local%20admin)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3027461%22%20slang%3D%22en-US%22%3Edid%20you%20add%20the%20targetisaadjoined%20property%20in%20the%20advanced%20RDP%20properties.%20Without%20this%20it%20won't%20work.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3027475%22%20slang%3D%22en-US%22%3ERe%3A%20AVD%3A%20Authentication%20fails%20for%20AAD%20user%20(but%20works%20for%20local%20admin)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3027475%22%20slang%3D%22en-US%22%3EI%20can't%20add%20anything%20in%20the%20web%20client%2C%20and%20neither%20when%20adding%20the%20feed%20URL%20to%20the%20RDP%20Client%20(or%20can%20I%3F)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3027612%22%20slang%3D%22en-US%22%3ERe%3A%20AVD%3A%20Authentication%20fails%20for%20AAD%20user%20(but%20works%20for%20local%20admin)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3027612%22%20slang%3D%22en-US%22%3Echeck%20this%20link.%20It's%20mentioned%20here%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fexample-scenario%2Fwvd%2Fazure-virtual-desktop-azure-active-directory-join%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fexample-scenario%2Fwvd%2Fazure-virtual-desktop-azure-active-directory-join%3C%2FA%3E%3CBR%20%2F%3EYou%20need%20to%20add%20a%20rdp%20property%20on%20the%20hostpool%20that%20has%20the%20session%20host%20in%20it%3C%2FLINGO-BODY%3E
Occasional Contributor

I've setup a basic AVD scenario with a personal Host pool and single VM which was defined to be AAD joined.

 

dsregcmd /status

confirms it worked and the device shows up in AAD and MEM as joined.

 

The user is a cloud-only account, has an M365 E5 license and is global admin. The "Virtual Machine Adminsitrator Login" role was given in addition - just to be sure. He was assigned to the application group containing the "SessionDesktop" application.

 

The Web Client shows the application, but login doesn't work:

 

CleanShot 2021-12-02 at 14.04.03.png

 

The MacOS Remote Desktop client can find the app, but won't connect either:

 

CleanShot 2021-12-02 at 14.02.26.png

 

Here is what I tried and the related result:

 

  • Disabling NLA on the VM and restart: No change
  • Logging in as local admin using AVD Web / macOS client: works
  • Logging into the machine as target user directly via RDP: works

 

The last one is especially interesting. From my limited understanding it seemed that the "AVD gateway component" was blocking a login with the AAD user. So I logged into the VM again and had a look at the event look. The interesting events were those two errors:

 

CleanShot 2021-12-02 at 14.14.26.png

CleanShot 2021-12-02 at 14.17.07.png

 

Do you have any idea why I can't log into the machine using the AVD feed or web client when using my AAD cloud-only user - but why it works when I directly log into the VM using the exact same user and "AzureAD\my-up" as username?

 

Thanks in advance!

4 Replies
did you add the targetisaadjoined property in the advanced RDP properties. Without this it won't work.
I can't add anything in the web client, and neither when adding the feed URL to the RDP Client (or can I?)
best response confirmed by thewilli (Occasional Contributor)
Solution
check this link. It's mentioned here
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure...
You need to add a rdp property on the hostpool that has the session host in it
that resolved my issue, thank you very much!