Azure AD joined and DomainJoinedCheck faild

Brass Contributor

Hello,

I created an Azure Virtual Desktop environment with a connection to Azure AD.

Azure AD join.png

 

But the session host is shown as unavailable in the environment.

 

Inside the help checks:

 

{

    "healthCheckName": "DomainJoinedCheck",
    "healthCheckResult": "HealthCheckFailed",
"additionalFailureDetails":
{ "message": "SessionHost unhealthy: SessionHost is not joined to a domain",
"errorCode": -2147467259, "lastHealthCheckDateTime": "2021-07-20T12:05:23.3158494Z" }
}

 

Thanks for your support.

 

18 Replies
Hi @Stefan Kießig
Did you put the validation environment to Yes?
Are session hosts 20h2?

Hello Johan Vanneuville,

 

the validation environment is by No.
The session hosts are 20h2.

Hey Stefan Kießig,
Change your hostpool to Validation Environment "Yes". Without it the feature won't work.

Hey Johan Vanneuville

I start all over and redeployed it with "Validation Environment" Yes.
But still the same problem.

 

 

Hey @Stefan Kießig,
what do you get if you do a dsregcmd /status on the machine?

Hey Johan Vanneuville,

this are the results:


+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : VDI-0

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : remove ID
Thumbprint : remove Thumbpring
DeviceCertificateValidity : remove Certificate
KeyContainerId : remove ContainerID
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

TenantName :
TenantId : remove TenantID
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/"TenantID"/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/"TenantID"/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/"TenantID"/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/"TenantID"/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

AadRecoveryEnabled : NO
Executing Account Name : VDI-0\VDI
KeySignTest : PASSED

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

 

I can login only with local administration account. I can not log in with my Azure AD account.

Did you give the user Virtual Machine user role? Also the rdp advanced property needs to be filled in so that the host pool knows that the session host is AAD joined.
Can you please explain this to steps?

The rdp advanced property was in the rdp setings inside the maschien?
Thank you for the blog post.
I will delete the environment again today and recreate it based on your environment.

I will then report here.
With my creation, I have created the VM with the same.

@Johan Vanneuville

 

In your blog you use two security principals (WVD HostPool and WVD Users). This are Azure AD Groups?

 

After going through the blog article, I had the problem for a few minutes. Nahc about 5 minutes the machine was available.

 

Thank you very much for your help.

 

Where I find the ""Network security: Allow PKU2U authentication requests to this computer to use online identities" " settings? 

Those groups are AAD groups indeed.
for the PKU2U:
Local on the session host:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\pku2u -> confirm AllowOnlineID is set to 1
Via GPO:
GPO path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Policy: Network security: Allow PKU2U authentication requests to this computer to use online identities

State: Enabled

@Johan Vanneuville 

 

Thanks for your help.

I can not login to the Sessionhost with my Azure Credentials.
I see the maschien in my Azure Virtual enviroment. But I can only log in with localadmin credentials. 

@Stefan Kießig Note that we noticed an issue where it can take up to 40 minutes after VMs are deployed for them to be marked as Available. We are investigating.

 

What error are you seeing when trying to connect? Definitely have a look at: https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-azure-ad-connections

 

Thank you David. But there is still the login Problem. I can only login with local admin credentials but not with AAD credentials.

@Stefan Kießig What error are you seeing when connecting?

@Stefan Kießig hi, may I ask how you solved the problem? I have the same problems with Azure Virtual Desktop as you.

The main problem is using the same credentials which are used to create previous session host. You have to use different credentials or change the password. No one will think about this. There is conflict with password hashes with previous session host.