cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Cond. Acc.

garymansell
Brass Contributor

‎Apr 24 2024 03:30 AM - edited ‎Apr 24 2024 06:27 AM

‎Apr 24 2024 03:30 AM - edited ‎Apr 24 2024 06:27 AM

Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Cond. Acc.

Hi,

 

We have been suffering intermittent (once every few months) AVD Auth/Login issues to multiple Host Pools for multiple Users - the login gets stuck and just loops continually between the Authentication "Just a moment" screen, and then initiating/configuring/securing remote connection dialog box. It seems to just happen at random for just one of our users/admin at any time and other users can login to the same Host Pool VM.

 

We have found that if we leave it for a couple of hours and try again, it will work for the user - but this is not really acceptable for an Enterprise System, so would like to get to the bottom of this.

 

We have pure Entra ID (only) joined Host Pool VMs, but the laptop endpoints that we connect from are Hybrid AD joined (with GPO and Intune polices). We have a conditional access policy that forces MFA if you are not accessing from a corporate network, we have Windows Hello for Business (WHfB) PIN set on the end points (setup via GPO), we have Entra ID & SSO enabled on the Host Pool properties. Users and Admins are in the respective Virtual Machine User/Admin RBAC role for the RG the Host Pool VMs are in. User/Admin is in the Desktop App Group.

 

The fact that it seems to sort itself out after a few hours makes me wonder if it is a AD replication / Entra ID Connect Sync issue with the WHfB PIN/Cert from AD (does this even get changed after you have set the PIN the first time though?)

 

Does anyone else see this or have any ideas as to what the cause is, or how to debug it?

 

 

257 Views
0 Likes
4 Replies
Reply
4 Replies
tommykneetz

‎May 02 2024 12:24 AM

‎May 02 2024 12:24 AM

Re: Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Con

I saw this when the logoff process was not successfull..
for example:

user logs off and session stucks on one hosts (in my case.. 5 process where not closed)
the user logs in again and avd tries to reconect.. but that is not working.. user saw "jsut a moment" message

to have fslogix in place?
0 Likes
Reply
garymansell

‎May 02 2024 12:32 AM

‎May 02 2024 12:32 AM

Re: Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Con

@tommykneetz - hey thanks for getting back to me, and yes (I missed an important part of the config out) - I do run FSLogix user profiles from an Azure Files Share.

 

Stuck FSLogix processes from a previous login are an interesting possibility, but I have tried rebooting the host and then trying to login and get the same behaviour, so I don't think it can be that in this case.

 

I have also tried rebooting the end-point (turn it off and turn it on again). Made sure the Remote Desktop app is fully updated, reset settings etc.

 

I have tried switching between when the end-point is both on our corporate network (no MFA needed) and on public WiFi (MFA needed).

 

The same user can connect to another Host Pool they have access to - just not the one in question (and they are configured with the same settings for the host pool and MFA etc).

 

It just seems to be time - you give it a few hours and it works again... But I can't really live with this for my users.

0 Likes
Reply
tommykneetz

‎May 02 2024 01:12 AM

‎May 02 2024 01:12 AM

Re: Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Con

How many hosts do you have?
can you reproduce the issue without fslogix?
0 Likes
Reply
garymansell

‎May 03 2024 12:41 AM - edited ‎May 03 2024 12:45 AM

‎May 03 2024 12:41 AM - edited ‎May 03 2024 12:45 AM

Re: Intermittent AVD Host Pool Login issues with WhfB endpoint, SSO, Entra ID Auth & MFA via Con

I have just now had this issue occur on my account and I have more information...

 

This occurred logging into (only one of) my Host Pools whilst I was on the Corporate network (via a VPN connection) - so I should not get prompted for MFA (as we have a Cond Access policy for all Apps to require MFA if not on a trusted network). I repeatedly got the "Just a Moment" screen and the "initiating/securing connection dialog box) stuck in a loop. When I looked at the Host Pool VM - my user was showing as connected but in a Pending state.

 

But, what I then did, was to shut that VM down (to clear my session), and then disconnected from the VPN and tried to connect off of the corporate network - this time it succeeded and I could login. I will note, that I was not prompted for MFA (I think because we have a grace period on MFA and don't get prompted every time, if the user selects to "remain logged in" when prompted.)

 

After that, I could re-connect to the corporate network via VPN and then connect successfully from there too.

 

So - it seems that it is something to do with the MFA / Token - perhaps?

0 Likes
Reply