Nov 21 2019 01:45 PM - edited Nov 21 2019 01:46 PM
Having an issue where user of WVD Windows 10 Multi-session have issues moving between hosts. Essentially first login on a host is fine, when the user moves to a new host outlook eventually says "need password" however the modern authentication prompts are never presented to the user.
Anyone have any insight? Perhaps Something with AzureFiles / FSlogix?
Thanks in advance.
Oct 12 2021 06:40 AM
Feb 15 2022 03:31 AM
Sorry to post in an older thread but I am seeing issues with additional mailboxes in Outlook with AVD.
Adding the mailbox will work initially but the next day when the user logs in the additional mailbox does not update and the 'Needs password' appears but prompt box will not show - removing the mailbox and trying to re-add then gives error that mailbox cannot be added and to retry. Recreating the whole FSLogix profile fixes but only creating new Outlook profile does not - anyone have any idea what is causing this and a fix?
Oct 11 2022 05:34 AM - edited Oct 11 2022 07:31 AM
A long time WVD/AVD administrator here and we're now picking up on some oddities:
First of all mentioning what has and does work perfectly:
AVD VM's are not WorkPlaceJoined like the initial problem in this thread
SSO works for the user logging on
MFA works as expected
FSLogix roaming handles logging on to multiple machines
The problems start when due to business needs a 2nd O365 account gets added to outlook or teams. Especially if that second O365 account is not within the same tenant of the user logging on (the user logging on handles the Windows/Office licensing as required). Another way to make sure it breaks is by adding only a foreign O365 account to Outlook and then logging on to another VM.
The only "fix" we've found so far is to disable WAM and re-enable ADAL. That fixes the issues but isn't recommended or desired in the long run.
Is anyone able to confirm they have a setup like this working with email/Teams accounts other than the logged in user? Or does adding other accounts to Outlook with MFA simply break SSO on AVD/FSlogix setups? The problem persists over multiple different AVD setups
Oct 26 2022 02:02 AM
We have the same Setup on Terminalserver 2019 with FSLogix and from time to time, the login breaks.
We did not test to disable ADAL or something.
We log the User off, let him login on another Terminalserver (It's a Broker Setup with 2 Terminalservers in it) and then the outlook runs fine on the other server.
On the next day it doesn't matter which terminalserver the user is working on.
We did not found any other solution yet.
Dec 06 2022 12:31 AM
Same issue only with RDS. Latest FSLogix installed but when they change password they loose connection with Office365 and password needed is showing. Prompt wont pop-up and seems to happen with the users that got multiple accounts added from different tenants.
We use DUO as MFA. They will force modern authentication soon so disable this wont help.
Solution what seems to work is logging them off in outlook and sign back in and approve with MFA again.
Dec 08 2022 12:54 AM
We have the exact same Problem since last week. FSlogix on Terminalserver 2019 with one broker and two Sessionhosts. Did you find any ohter solution than loggin the user on the other server and keep waiting?
Dec 12 2022 06:15 AM - edited Dec 12 2022 06:17 AM
Dec 12 2022 08:56 AM - edited Dec 12 2022 08:59 AM
Following fix in place at the moment:
Create GPO to add the following Registry key or manually create:
HKEY_LOCAL_MACHINE\Software\FSlogix\Profiles
KeepLocalDir DWORD 1
Then add a "redirections.xml" file in the following location of each user:
c:\users\%username%\AppData\Local\FSLogix
The redirection only works when the file is present upon logon so do a logoff/logon afterwards or inject into the dormant profile.
Contents of redirections.xml file:
<?xml version="1.0" encoding="UTF-8"?><FrxProfileFolderRedirection>
<Excludes>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\TokenBroker</Exclude>
</Excludes>
</FrxProfileFolderRedirection>
You will have to enter credentials on EACH Session Host ONCE but after that you can move between hosts without any issue.
The theory of this fix:
Modern Authentication works with Tokens. Those tokens contain the Device ID. Storing them in FSLogix breaks them because the Device ID contained in them no longer matches. The fix pushes those tokens out of the FSLogix container to a local_username folder and no longer deletes that folder upon logoff from the machine. Once you have a working token on each host it will refresh if needed but it no longer breaks. Hope this helps because MS was clueless after spending a few weeks with the FSLogix/Office teams.
Dec 13 2022 12:13 AM
Dec 13 2022 01:58 AM
Dec 13 2022 03:41 AM - edited Dec 13 2022 03:42 AM
There are more than 1 reason why Modern Authentication can break. My situation and the fix is very specific:
The use-case is multiple Hosts AND multiple O365 accounts (or an O365 account that isn't covered by SSO)
In VDI and almost any setup you should have SSO configured which handles the primary O365 account. If it "breaks" by moving to another VM, SSO kicks in and repairs it without the user ever noticing.
My fix is only intended if both conditions are met: Multiple hosts and multiple O365 accounts.
If you are having issues with Modern Auth and those conditions are not met I suggest looking at SSO which may not be configured or may not function as desired. Seems like the case with the changing password issue. Your local AD may not be in sync with AAD.
Dec 19 2022 02:11 AM
Dec 19 2022 04:25 PM
@KevinDeSchrijver Wont you have an issue when you re-image the host-pool? Everyone will have to sign in to the new hosts again or am I missing something here.
Dec 20 2022 12:22 AM - edited Dec 20 2022 12:23 AM
This is indeed the case. No solution for that I'm afraid.
The solution I posted only applies to the specific case and I only created it myself after hitting a dead wall with MS support who started opening their umbrella with statements like: Indeed, having more then one O365 account (Hello, mailaccounts?) is not supported with FSLogix on multiple hosts.
I based my solution on this:
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-deskt...
Dec 20 2022 06:10 AM
Dec 20 2022 08:30 PM
So it seems to have nothing to do with the windows update.
I fixed my issue by rolling back FSLogix to 2210 to 2201. There is a known issue for those devices that can't be Azure AD joined or Hybrid joined. So if you are using AADDS then don't update past version 2201 of FSLogix.
https://learn.microsoft.com/en-us/fslogix/troubleshooting-known-issues#azure-ad-authentication-for-a...
Dec 20 2022 10:19 PM - edited Dec 20 2022 10:25 PM
Thank you for the heads up on the new fslogix issue. I cant tell if this known issue is a bug or just how Microsoft intends to treat AADDS joined machines in the future.
Dec 22 2022 01:03 AM - edited Dec 22 2022 01:13 AM
The problem is wider then that. My machines ARE Hybrid joined. Even if they're Hybrid joined, you will be prompted every single logon for O365 credentials for SECONDARY (mail) O365 accounts. Granted, that's not a very common use-case but still.
My fix doesn't work for 2210 either. It looks like you can redirect those folders out of FSLogix as much as you want to, FSLogix will still "ignore" them. Obviously they changed something in the behaviour there. Still awaiting MS response on the open Case.
Dec 22 2022 02:20 AM
Does the change of basic authentication to modern authentication anything to do with it? Microsoft is forcing modern authentication for tenants now.
Dec 22 2022 02:24 AM - edited Dec 22 2022 02:25 AM
Ofcourse. With Basic Auth you don't/didn't have any of these issues. It's the way Modern Auth works (token based with Device ID) that's breaking things.
Modern Auth is a good thing, it just creates issues for AVD/VDI that haven't been properly vetted out yet.