Unable to connect to Azure Remote Deskop after updates

Copper Contributor

After KB5020435 is applied to the AVD session hosts, and after updating the remote client's Remote Desktop app version beyond 1.2.3213, clients are unable to connect to the session hosts. After authentication, they receive the following error message: An authentication error has occurred. A specified logon session does not exist. It may have already been terminated. Error code: 0x0, extended error code: 0x0, Activity ID: 5278116b-4dd6-4e08-a3b8-5f1bce1c0000. If we uninstall that hotfix from the AVD session hosts or use an older version of the Remote Desktop client for Windows, this error does not occur.

 

Our AVD session hosts are running Windows 10 21H2.

 

End users are running a mix of operating systems and clients. The problem occurs with the Windows client (versions noted above), and with the web client, but does not occur on the Store App client or on macOS clients.

7 Replies

After a lot of troubleshooting, we found that removing the enablerdsaadauth:i:1 setting from the RDP settings of the host pool, users are able to connect again. This parameter was set to enable a more seamless Azure Active Directory authentication experience, but we did not realize this was a preview feature. We have a ticket open with Microsoft support and we are awaiting further information on how we can reenable this functionality.

@fmagic We are facing the issue. Is there any feedback or update from Microsoft? I knew remove enablerdsaadauth:i:1 or set enablerdsaadauth:i:0 can be a workaround. But it means Azure AD authentication (SSO) not enabled. Don't know why it works for Mac or iPhone/iPad but can't work for Windows.

@Paul_Wang It seems that we were able to solve this problem by setting up a KDC Proxy, which is as simple as publishing a Remote Desktop Gateway server, with a valid SSL certificate. On the same screen where you enable Azure Active Directory authentication in the host pool, there is an option to enter the KDC Proxy (the RD Gateway). You don't have to do much configuration on the RD Gateway server other than setting up the SSL certificate.  This is the link that Microsoft support provided to us:

Set up Kerberos Key Distribution Center proxy Azure Virtual Desktop - Azure | Microsoft Learn

Thanks @fmagic ! You gave me the troubleshooting direction. But I don't know if we have Remote Desktop Gateway server setup in our environment. Can you guide me how to validate/setup it? Is it an on-premised server or an Azure cloud server? Can it be setup on any Windows Server? Or, must be configured on some specific server?

@Paul_Wang The link in the previous message has everything I know about it. The server can be on-premises or in the Azure cloud, as long as it has connectivity to your AD Domain Services domain (it needs to be domain-joined.) We deployed our RDG in our Azure cloud, and then published port 443 on it via the Network Security Group attached to the Azure VM NIC.

I have some additional information to report about this issue. I have found that users who are a member of Domain Admins in the AD DS domain are getting stuck in a login loop when trying to launch apps (including the desktop.) I don't know what would be causing this, but I just got the Microsoft ticket reopened so I can try to understand why this would be happening. The Remote Desktop client populates correctly, but when launching an app, the client shows Initiating remote session, configuring remote session, then securing remote connection, and that's when an AAD authentication prompt opens up. After entering valid credentials, including MFA, the Initiating remote session and securing remote session messages show up again, and then the user is returned to the AAD auth prompt.
Today I met the same problem and revealed that the issue is not only client-dependent, but some other variables too.
It does not reproduce on MacOS and Windows Microsoft Remote Desktop client downloaded from the Microsoft Store. Only MSI distributed version is affected.