Forum Discussion
Error "the connection was denied because the user account is not authorised"
Hi David Overton,
May be you have some GPO setup to deny certain groups/individuals from using RDP, and it got applied to the AVD session hosts?
Something like this:
hope this will be helpful.
michael_moshkovich Unfortunately that is not the issue. We do have a deny group, but it is empty in AD and Azure AD. I double checked, the user's account to make sure they were not part of that group, so not applicable both ways.
I also tried adding the user to the local VM's Remote Desktop Users group and suddenly they are able to sign in without issue. I have other users in the same domain who are able to sign in without being added to the Remote Desktop Users local group.
I looked at the logs and in WVDErrors and I see these 3 lines consistently for a user who fails to sign in.
TimeGenerated [UTC] | ActivityType | Source | Code | CodeSymbolic | Message | ServiceError | Operation |
| 24/02/2022, 13:20:33.197 | Connection | Client | 9,223 | SSL_ERR_ACCESS_DENIED | SSL_ERR_ACCESS_DENIED | FALSE | ClientRDPConnect |
| 24/02/2022, 13:20:35.118 | Connection | RDGateway | -2,147,467,259 | ConnectionFailedReverseUngracefulClose | The Session Host did not respond to the service attempt to gracefully terminate the connection. | FALSE | GatewayConnectionActive |
| 24/02/2022, 13:21:25.772 | Connection | RDStack | 12 | NotAuthorizedForLogon | This user isn't authorized so sign in to the session host. | FALSE | Authorization |
Given that the VMs are not AzureAD domain joined, I have seen that the SSL error could be associated with users who might be AzureAD joined, so I took the precaution of enabling the PKU2U policy setting, but this also made no difference.
Any pointers appreciated.
David
David Overton Were you able to resolve this issue. I have something very similar. A windows 11 machine cannot connect, but we use the credentials on other machines, and it works fine to log in. This one machine just has the problem.
- Hi jimmyliebe.
The workaround was a group policy that added the users who could not connect natively to the AVD. The group policy added the users to the Remote Desktop Users group on each of the AVD hosts.
