Solutions for WVD client not connecting

%3CLINGO-SUB%20id%3D%22lingo-sub-1055555%22%20slang%3D%22en-US%22%3ESolutions%20for%20WVD%20client%20not%20connecting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055555%22%20slang%3D%22en-US%22%3EI%2C%20and%20it%20seems%20many%20others%2C%20have%20had%20issues%20connecting%20to%20windows%20virtual%20desktop%20after%20provisioning%20seemed%20successful.%20This%20manifests%20with%20the%20web%20client%20giving%20errors%20after%20opening%20port%2C%20or%20with%20the%20desktop%20client%20saying%20something%20went%20wrong%20and%20a%20vague%20explanation.%3CBR%20%2F%3E%3CBR%20%2F%3ETurns%20out%20there%20are%20a%20few%20rules%20that%20must%20be%20followed%20that%20aren%E2%80%99t%20mentioned%20anywhere%20I%20looked.%3CBR%20%2F%3E%3CBR%20%2F%3E1)%20the%20user%20you%20are%20logging%20in%20with%20must%20be%20from%20the%20local%20AD%20or%20from%20the%20AADDS%20...%20NOT%20an%20AzureAD%20user.%20It%20must%20be%20synced%20but%20it%20must%20originate%20from%20local%20AD.%20It%20must%20be%20a%20domain%20user.%20You%20won%E2%80%99t%20see%20what%20the%20issue%20it%2C%20but%20it%20will%20fail.%20Your%20domain%20controller%20does%20the%20sign%20in%20Authentication%2C%20but%20it%E2%80%99s%20initiated%20through%20azure%2C%20so%20it%20must%20be%20synced%20and%20visible%20in%20azure%20but%20actually%20created%20in%20domain.%20AzureAD%20users%20won%E2%80%99t%20sync%20back%20to%20the%20domain%20so%20that%E2%80%99s%20why%20it%20needs%20to%20be%20created%20in%20domain.%20Remember%20to%20add%20the%20domain%20user%20to%20the%20app%20group%20via%20add-rdsappgroupuser%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20you%20can%E2%80%99t%20be%20logged%20into%20windows%20with%20a%20different%20Microsoft%20account%20for%20the%20desktop%20client.%20The%20new%20client%20apparently%20looks%20at%20the%20windows%20accounts%2C%20and%20you%20will%20see%20there%20is%20no%20way%20to%20change%20accounts%20from%20the%20desktop%20client.%20This%20is%20very%20annoying.%20Since%20it%E2%80%99s%20tied%20together%20if%20you%20are%20logged%20into%20a%20personal%20Microsoft%20account%20or%20one%20not%20from%20your%20local%20AD%20that%E2%80%99s%20not%20been%20added%20to%20the%20appgroup%2C%20it%20will%20fail.%20I%20was%20testing%20accounts%20but%20I%20was%20logged%20into%20windows%20with%20my%20personal%20Microsoft%20account%20and%20it%20always%20gave%20errors.%20I%20logged%20out%2C%20and%20into%20the%20local%20computer%20account%20%2C%20and%20the%20desktop%20client%20worked%20fine.%20I%20figured%20this%20out%20because%20after%20I%20removed%20the%20additional%20testing%20accounts%20from%20windows%20users%20I%20got%20a%20Login%20screen%20but%20then%20it%20still%20failed%20with%20the%20same%20%E2%80%9Csomething%20went%20wrong%E2%80%9D%20error.%20This%20led%20me%20to%20think%20it%20might%20be%20getting%20confused%20because%20I%20could%20have%20multiple%20work%20accounts%20on%20computer%20and%20the%20client%20never%20asked%20which%20to%20use.%20Instead%20of%20a%20VM%20issue%20it%E2%80%99s%20just%20the%20client%20isn%E2%80%99t%20smart%20enough%20to%20ask%20which%20account%20you%20want%20to%20use%20even%20after%20login.%20Item%203%20also%20led%20to%20to%20realize%20that%20it%E2%80%99s%20getting%20confused%20with%20accounts.%3CBR%20%2F%3E%3CBR%20%2F%3E3)%20use%20incognito%20to%20test%20web%20client.%20Even%20though%20I%20logged%20out%20of%20azure%20portal%2C%20out%20of%20my%20own%20Microsoft%20account%2C%20etc%2C%20the%20web%20client%20kept%20failing%20to%20connect.%20BUT%20if%20I%20ran%20incognito%20it%20connected.%20This%20told%20me%20the%20app%20isn%E2%80%99t%20able%20to%20distinguish%20the%20account%20I%20needed%20to%20use.%20Again%2C%20my%20personal%20account%20still%20had%20a%20trace%20somewhere%20in%20the%20browser%20and%20this%20kept%20causing%20issues.%20WVD%20kept%20trying%20to%20use%20an%20account%20that%E2%80%99s%20not%20part%20of%20my%20WVD%20setup%2C%20hence%20failure.%20Try%20incognito.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20these%20items%20help%20you%20out.%20None%20of%20these%20were%20made%20clear%20and%20I%20beat%20my%20head%20for%203%20days%20re-launching%20WVD%20VMs%20and%20tenants.%20Turns%20out%20the%20setup%20was%20fine%20the%20whole%20time.%20It%E2%80%99s%20the%20WVD%20clients%20that%20suck.%20The%20desktop%20client%20must%20have%20a%20way%20to%20login%20a%20user%20and%20NOT%20pull%20from%20windows.%20Or%20at%20least%20give%20the%20user%20a%20clear%20error%20that%20explain%20what%20account%20it%E2%80%99s%20trying%20to%20log%20in%20with.%20Just%20telling%20me%20what%20account%20it%20tried%20to%20used%20on%20either%20the%20desktop%20client%20or%20webclient%20would%20have%20identified%20this%20in%20an%20instant.%20The%20diagnostics%20log%20weren%E2%80%99t%20clear%20enough%20either.%3CBR%20%2F%3E%3CBR%20%2F%3EUltimately%20Please%20just%20separated%20the%20sign%20ins.%20Not%20everyone%20wants%20to%20use%20SSO%2C%20especially%20a%20remote%20worked%20on%20their%20personal%20laptop%20that%E2%80%99s%20not%20domain%20joined%2C%20or%20joined%20to%20a%20different%20domain.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helped%20some%20people%20out.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1055555%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ERemote%20Desktop%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Virtual%20Deskop%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWVD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073219%22%20slang%3D%22en-US%22%3ERe%3A%20Solutions%20for%20WVD%20client%20not%20connecting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073219%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391582%22%20target%3D%22_blank%22%3E%40khan95osu%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20taking%20the%20time%20to%20write%20this%20up%20and%20contributing%20back%2C%20though%20we%20wish%20that%20you%20didn't%20have%20to%20have%20a%20lot%20of%20struggles%20to%20deploy%20and%20get%20end-to-end%20connections%20working.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20regards%20to%20%231%2C%20you%20are%20absolutely%20correct.%20When%20looking%20at%20the%20docs%2C%20where%20would%20you%20expect%20to%20find%20that%20information%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20regards%20to%20%232%2C%20this%20seems%20odd%20because%20we%20do%20allow%20you%20to%20login%20with%20the%20identity%20you%20choose%20to%20provide%2C%20not%20just%20your%20logged%20in%20identity.%20Does%20this%20continue%20to%20repro%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20regards%20to%20%233%2C%20this%20is%20primarily%20a%20function%20of%20browsers%20and%20Azure%20AD.%20We%20can%20try%20to%20improve%2C%20unfortunately%20I%20don't%20think%20there's%20too%20much%20we%20can%20do%2C%20since%20disabling%20any%20sort%20of%20web%20SSO%20experience%20would%20be%20course-correcting%20too%20far.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20thank%20you%20for%20writing%20these%20up.%20We'd%20be%20happy%20to%20make%20sure%20this%20gets%20reflected%20in%20documentation%2C%20and%20in%20our%20service%20to%20make%20it%20easier%20to%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
I, and it seems many others, have had issues connecting to windows virtual desktop after provisioning seemed successful. This manifests with the web client giving errors after opening port, or with the desktop client saying something went wrong and a vague explanation.

Turns out there are a few rules that must be followed that aren’t mentioned anywhere I looked.

1) the user you are logging in with must be from the local AD or from the AADDS ... NOT an AzureAD user. It must be synced but it must originate from local AD. It must be a domain user. You won’t see what the issue it, but it will fail. Your domain controller does the sign in Authentication, but it’s initiated through azure, so it must be synced and visible in azure but actually created in domain. AzureAD users won’t sync back to the domain so that’s why it needs to be created in domain. Remember to add the domain user to the app group via add-rdsappgroupuser as well.

2) you can’t be logged into windows with a different Microsoft account for the desktop client. The new client apparently looks at the windows accounts, and you will see there is no way to change accounts from the desktop client. This is very annoying. Since it’s tied together if you are logged into a personal Microsoft account or one not from your local AD that’s not been added to the appgroup, it will fail. I was testing accounts but I was logged into windows with my personal Microsoft account and it always gave errors. I logged out, and into the local computer account , and the desktop client worked fine. I figured this out because after I removed the additional testing accounts from windows users I got a Login screen but then it still failed with the same “something went wrong” error. This led me to think it might be getting confused because I could have multiple work accounts on computer and the client never asked which to use. Instead of a VM issue it’s just the client isn’t smart enough to ask which account you want to use even after login. Item 3 also led to to realize that it’s getting confused with accounts.

3) use incognito to test web client. Even though I logged out of azure portal, out of my own Microsoft account, etc, the web client kept failing to connect. BUT if I ran incognito it connected. This told me the app isn’t able to distinguish the account I needed to use. Again, my personal account still had a trace somewhere in the browser and this kept causing issues. WVD kept trying to use an account that’s not part of my WVD setup, hence failure. Try incognito.

I hope these items help you out. None of these were made clear and I beat my head for 3 days re-launching WVD VMs and tenants. Turns out the setup was fine the whole time. It’s the WVD clients that suck. The desktop client must have a way to login a user and NOT pull from windows. Or at least give the user a clear error that explain what account it’s trying to log in with. Just telling me what account it tried to used on either the desktop client or webclient would have identified this in an instant. The diagnostics log weren’t clear enough either.

Ultimately Please just separated the sign ins. Not everyone wants to use SSO, especially a remote worked on their personal laptop that’s not domain joined, or joined to a different domain.

Hope this helped some people out.
1 Reply

@khan95osu : Thanks for taking the time to write this up and contributing back, though we wish that you didn't have to have a lot of struggles to deploy and get end-to-end connections working.

 

In regards to #1, you are absolutely correct. When looking at the docs, where would you expect to find that information?

 

In regards to #2, this seems odd because we do allow you to login with the identity you choose to provide, not just your logged in identity. Does this continue to repro?

 

In regards to #3, this is primarily a function of browsers and Azure AD. We can try to improve, unfortunately I don't think there's too much we can do, since disabling any sort of web SSO experience would be course-correcting too far.

 

Again, thank you for writing these up. We'd be happy to make sure this gets reflected in documentation, and in our service to make it easier to use.