Error "the connection was denied because the user account is not authorised"

Occasional Contributor

We have a handful of users on our AVD deployment who are unable to connect to a session. They are able to sign into RD Client, see the applications in their feed and refresh the feed.  However when they try to connect to a desktop or remote app, it fails with the error message "the connection was denied because the user account is not authorised for remote log-in" and with error code 0x3

 

We have checked the Azure group entries, their M365 licensing and cannot find a cause.

 

Is anyone able to diagnose the issue or recommend a fix?

DavidOverton_0-1645660331429.png

 

Thanks


David

4 Replies

Hi @David Overton,

 

May be you have some GPO setup to deny certain groups/individuals from using RDP, and it got applied to the AVD session hosts?

 

Something like this:

michael_moshkovich_3-1645734098760.png

 

hope this will be helpful.

@michael_moshkovich Unfortunately that is not the issue. We do have a deny group, but it is empty in AD and Azure AD. I double checked, the user's account to make sure they were not part of that group, so not applicable both ways.

I also tried adding the user to the local VM's Remote Desktop Users group and suddenly they are able to sign in without issue. I have other users in the same domain who are able to sign in without being added to the Remote Desktop Users local group.

 

I looked at the logs and in WVDErrors and I see these 3 lines consistently for a user who fails to sign in. 

TimeGenerated [UTC]

ActivityTypeSourceCodeCodeSymbolicMessageServiceErrorOperation
24/02/2022, 13:20:33.197ConnectionClient9,223SSL_ERR_ACCESS_DENIEDSSL_ERR_ACCESS_DENIEDFALSEClientRDPConnect
24/02/2022, 13:20:35.118ConnectionRDGateway-2,147,467,259ConnectionFailedReverseUngracefulCloseThe Session Host did not respond to the service attempt to gracefully terminate the connection.FALSEGatewayConnectionActive
24/02/2022, 13:21:25.772ConnectionRDStack12NotAuthorizedForLogonThis user isn't authorized so sign in to the session host.FALSEAuthorization

 

Given that the VMs are not AzureAD domain joined, I have seen that the SSL error could be associated with users who might be AzureAD joined, so I took the precaution of enabling the PKU2U policy setting, but this also made no difference.

 

Any pointers appreciated.

 

David

@David Overton Were you able to resolve this issue. I have something very similar. A windows 11 machine cannot connect, but we use the credentials on other machines, and it works fine to log in. This one machine just has the problem. 

Hi @jimmyliebe.
The workaround was a group policy that added the users who could not connect natively to the AVD. The group policy added the users to the Remote Desktop Users group on each of the AVD hosts.