Having trouble with FSLogix user profile sharing - any good troubleshooting steps to follow?

Brass Contributor

I followed the steps in https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile. 
The problem I have is that the profile is not shared. Also I see no files in share folder when I logon to the file server. It appears to be an access issue to the file share for FSLogix.

 

Basically I am asking: If this is an access issue to the share for FSLogix, what am I missing in my setup?
Possibly also interesting if there is a tool to check what is wrong or a manual check-list.

 

Browsed Get-RdsDiagnosticActivities - No relevant info
Browsed Applications/FSLogix App/Operational Event Log:
- FindFile failed for path: \\prod-fs-vm00\rdsavprofiles\<SID>\Profile*.VHDX (Access is denied.)
- No Create access: \\prod-fs-vm00\rdsavprofiles\<SID>_<USER>-test (Access is denied.)
- Unable to find parent path of "" ({Application Error} The exception s (0x)

 

I did the following in the my domain:

1. Added a file share server in the domain (Using an Azure AD DS domain)

2. Shared a folder according to the steps and gave all "Domain Computers" access to share and NTFS folder (Get-ADGroupMember -Identity "Domain Computers": Includes both hostpool hosts as expected)

3. Created a "custom image" where I followed the steps in configuring FSLogix before running sysprep

4. Created a host pool with two servers from this custom image in the same domain as file server

5. Logged in with a user and checked what host the user was routed to.

6. Created a .txt document in my documents

7. Logged off

8. Stopped the machine the user logged on to to see if profiles are saved of file server

9. Logged on again and got routed to the other (only running) server

10. Looked for the .txt file in my documents - not there - profile sharing not working...

15 Replies

@Johan_Eriksson sorry for the stupid question but did you follow the steps to enable FSLogix and point that agent to the path you have created

@Stefan Georgiev 

No questions are stupid when troubleshooting: I specified the UNC path to the share.

My suspicion is that step 5. under https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile#prepare-the-vi... is perhaps lacking some permissions that FSLogix require.

On a hunch, I gave "Domain Users" full control to the share and it started to work. I then removed "Domain Users" and FSLogix was unable to load the profile. My wild guess is therefore that "Domain Computers" full control permissions are insufficient for proper operations.

(Also note that the link FSLogix documentation at the end of that section only leads to a login prompt for me. I tried to get a user account from FSLogix, but it was not accepted.)

hmm...good news is that you got it working :)...and the slightly better news is that we have an update to the document on permissions in particular...should be there in 24 hours as I think it was published today (this is the bad news). So its pasted below 🙂

1. Add the Windows Virtual Desktop AD Users to an Active Directory security group. This security group will be used to authenticate the Windows Virtual Desktop users to the file share virtual machine you just created.
2. Connect to the file share virtual machine.
3. On the file share virtual machine, create a folder on the C drive that will be used as the profile share.
4. Right-click the new folder, select Properties, select Sharing, then select Advanced sharing....
5. Select Share this folder, select Permissions..., then select Add....
6. Search for the security group to which you added the session host virtual machines, then make sure that group has Full Control.
7. After adding the security group, right-click the folder, select Properties, select Sharing, then copy down the Network Path to use for later.

@Stefan Georgiev 

Thanks, makes sense. You may want to also change step 6. to refer to "Windows Virtual Desktop users" rather than "session host virtual machines". 

 

Hi

 

We are doing this with azure storage instead of using a server and it doesn't work.

 

We followed the instructions on this link.

We create the share

We enable AAD DS

We assign specific users with "Storage File Data SMB Share Contributor" role to the share

We mount the share on a VM and configure full access for domain users

But still not allowing access

 

On the event log I can see this message:

No Create access: \\intechwvd.file.core.windows.net\wvdprofiles\S-1-5-21-303179029-2383376087-3032883996-1139_jmorales-test (The user name or password is incorrect.)

 

 

 

 

@JaviMora We are having the same issue. Were you able to fix it?

Were you able to get to the bottom cause of this yet?

@Agdar Did you get an answer to this? Same issue here. Thanks.

@MarBur70 

yes, this was a problem with the Azure file share account.. in this case you go to MS open a case with FSLogix, they check the logs and decide where the problem is 🙂

@Johan_Eriksson 

Hello all,

 

I my case, I worked with a Microsoft expert on this and we got it to work for my account just fine. All other users trying to login got the error that many people have seen here. I figured it was a permissions issue....but where?

 

Here is the Microsoft doc for setting up the Azure Files Shares:

https://docs.microsoft.com/en-us/azure/virtual-desktop/create-file-share#assign-azure-rbac-permissio...

 

Step 4 in the 'Configure NTFS permissions' section: (This is done on one of the VM's in the host pool.)

After running all four icacls lines for the first user, you will need to run the first icacls line for EVERY USER INDIVIDUALLY for BOTH the Windows profile and the Office profile local VM shares. Oddly, you only need to do this on the on VM. I tried on the second and it was already done 🙂

The 'net use' commands in step 2 creates the links to the Azure File shares, but you need to apply permissions to the shares that are consistent to the permissions on the shares in Azure Files (Storage File Data SMB Share Contributor). Also so users are not not able to access other users profiles.

Example for LOCAL share permissions:

(O and R drive letters are what I used on Step 2)

icacls O: /grant john.doe@contoso.com:(M)

icacls R: /grant john.doe@contoso.com:(M)

 

I hope this helps!

@Mark Plantenberg Is there not a way to use Security groups instead? I mean I have 3,000 users I have to set this up for, Does this mean I Have to script it for all the users, and then when we get new employees gotta remember to do this for them as well? That's crazy to maintain.

@AliGomaa, Not sure if you ever got an answer to this? I'm in the process of migrating to Blob and am having the same issue. Any information would be greatly appreciated. 

@knickson 

You can use groups. Its described here:
Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop |...

 

icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"
icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"

 

I am using the same group that assigns access to the AVD Workspace

@Johan_Eriksson 

Wrong Approch with icacls y: /grant "CONTOSO\AVDUsers:(M)"

 

When we mount the drive with the net use command, it says using the Access key.
Since we use Azure<storageaccountname>, It will look like a group in windows.core.net rather than the desired ADDS or Entra Domain service.

The mounted storage should use the desired domain ID with elevated SMB rights.