SOLVED

User in Child Domain gets Connection Denied when connecting to WVD Session Host

%3CLINGO-SUB%20id%3D%22lingo-sub-2317489%22%20slang%3D%22en-US%22%3EUser%20in%20Child%20Domain%20gets%20Connection%20Denied%20when%20connecting%20to%20WVD%20Session%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2317489%22%20slang%3D%22en-US%22%3E%3CP%3EFeeling%20like%20I'm%20missing%20something%20really%20obvious%20here%2C%20but%20the%20error%20is%20too%20generic%20to%20find%20the%20result%20I%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20our%20WVD%20users%20are%20in%20our%20primary%2Fparent%20domain.%20We%20have%20two%20users%20in%20a%20child%20domain%20that%20need%20to%20access%20the%20WVD%20environment%2C%20however%20they%20are%20getting%20a%20generic%20%22The%20connection%20was%20denied%20because%20the%20user%20account%20is%20not%20authorized%20for%20remote%20logon%22%20error.%20No%20problem%20subscribing%20to%20the%20feed%2C%20but%20can't%20hit%20the%20desktop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20regular%20RDP%2FRDS%20environments%2C%20this%20typically%20means%20the%20user%20isn't%20a%20member%20of%20the%20%22Remote%20Desktop%20Users%22%20group%2C%20or%20the%20security%20policy%20needs%20to%20be%20modified%20to%20allow%20that%20specific%20user%2Fgroup.%20WVD%20doesn't%20seem%20to%20follow%20this%20method%20for%20access%20control.%20Instead%2C%20it%20seems%20like%20the%20WVD%20management%20service%20dynamically%20controls%20the%20Remote%20Desktop%20user%20group%20on%20the%20host%20machines.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20thoughts%20or%20experience%20to%20share%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2319805%22%20slang%3D%22en-US%22%3ERe%3A%20User%20in%20Child%20Domain%20gets%20Connection%20Denied%20when%20connecting%20to%20WVD%20Session%20Host%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2319805%22%20slang%3D%22en-US%22%3EYou%20are%20spot%20on.%20Let%20me%20give%20you%20some%20context.%3CBR%20%2F%3E%3CBR%20%2F%3E1)%20we%20automatically%20add%20users%20to%20the%20RD%20user%20group%20on%20the%20host%20machine%20%3CBR%20%2F%3E2)%20this%20happens%20during%20orchestration%20(orchestration%20%3D%20establish%20connection)%3CBR%20%2F%3E3)%20when%20user%20connects%20there%20are%20two%20sets%20of%20authentication%3CBR%20%2F%3E%20-%20one%20for%20Azure%20ad%20(to%20get%20the%20feed)%3CBR%20%2F%3E%20-%20second%20to%20the%20AD%20DS%20(session%20host%20permissions)%3CBR%20%2F%3E4)%20in%20the%20case%20the%20Azure%20AD%20works%20fine%2C%20the%20AD%20DS%20does%20not%20work%20because%20when%20we%20ask%20the%20DC%20for%20those%20users%20we%20do%20not%20get%20%22correct%22%20resoponse%3CBR%20%2F%3E%3CBR%20%2F%3EFew%20assumptions%3CBR%20%2F%3E1)%20I%20am%20assuming%20that%20the%20child%20domain%20users%20are%20synched%20to%20Azure%20AD%20%3CBR%20%2F%3E2)%20Does%20the%20DNS%20support%20the%20look%20up%20of%20the%20child%20domains%20%3CBR%20%2F%3E3)%20VMs%20are%20joined%20to%20the%20parent%20domain%20(work%20around%20maybe%20to%20create%20a%20host%20pool%20where%20VM%20is%20joined%20to%20the%20child%20domain)%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Feeling like I'm missing something really obvious here, but the error is too generic to find the result I need.

 

Most of our WVD users are in our primary/parent domain. We have two users in a child domain that need to access the WVD environment, however they are getting a generic "The connection was denied because the user account is not authorized for remote logon" error. No problem subscribing to the feed, but can't hit the desktop.

 

In regular RDP/RDS environments, this typically means the user isn't a member of the "Remote Desktop Users" group, or the security policy needs to be modified to allow that specific user/group. WVD doesn't seem to follow this method for access control. Instead, it seems like the WVD management service dynamically controls the Remote Desktop user group on the host machines. 

 

Anyone have thoughts or experience to share?

2 Replies
best response confirmed by Eva Seydl (Microsoft)
Solution
You are spot on. Let me give you some context.

1) we automatically add users to the RD user group on the host machine
2) this happens during orchestration (orchestration = establish connection)
3) when user connects there are two sets of authentication
- one for Azure ad (to get the feed)
- second to the AD DS (session host permissions)
4) in the case the Azure AD works fine, the AD DS does not work because when we ask the DC for those users we do not get "correct" resoponse

Few assumptions
1) I am assuming that the child domain users are synched to Azure AD
2) Does the DNS support the look up of the child domains
3) VMs are joined to the parent domain (work around maybe to create a host pool where VM is joined to the child domain)


Thanks for getting back. Here are my replies to your suggestions.

1) Yes.
2) Yes. I have verified DNS resolves and the VM can contact the child domain's DC.
3) Yes. Joined to the parent. Prior to WVD, we had these users all accessing the App on RDS via RemoteApp. We had no issue adding the child domain users in that environment. In fact, I think our Help Desk is recommending turning that back on to accommodate these users as a work around.

At the end of the day, this isn't a major issue for me, as it only affects a small subset of users and the App they are using will be retired later this year. But it seems like there should be a solution. I'm also surprised it doesn't seem to have come up, or at least not as regularly as I would assume.