SOLVED

WVD - NLA required for user logins, not admins

%3CLINGO-SUB%20id%3D%22lingo-sub-1072482%22%20slang%3D%22en-US%22%3EWVD%20-%20NLA%20required%20for%20user%20logins%2C%20not%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072482%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20guys%2C%20hope%20you%20have%20some%20tips%20for%20me..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20deployed%20Azure%20AD%20Domain%20Services%20to%20be%20able%20to%20set%20up%20Windows%20Virtual%20Desktop.%20Cloud-only%20user%20accounts.%3C%2FP%3E%3CP%3EDeployed%20a%20host%20pool%20and%20the%20management%20available%20from%20GitHub%20-%20and%20it%20all%20looks%20very%20good%20-%20no%20red%20crosses%20anywhere.%3C%2FP%3E%3CP%3EAdded%20user%20accounts%20to%20appgroups%20both%20using%20PowerShell%20and%20the%20management%20portal%20without%20noticing%20any%20difference%20-%20it%20looks%20good%20when%20I%20run%20the%20Get-RdsAppGroupUser%20commands%20as%20it%20lists%20accounts%20generated%20both%20ways.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccounts%20that%20are%20member%20of%20the%20AAD%20DC%20Administrators%20logs%20in%20to%20the%20VDI%20perfectly%2C%20but%20%22normal%22%20user%20accounts%20get%20an%20error%20message%20that%20look%20like%20a%20flashback%20from%20RDS-deployments%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20remote%20computer%20that%20you%20are%20trying%20to%20connect%20to%20requires%20Network%20Level%20Authentication%20(NLA)%2C%20but%20your%20Windows%20domain%20controller%20cannot%20be%20contacted%20to%20perform%20NLA..............%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENormally%20this%20is%20easily%20fixed%20(System%20Properties%20-%20Remote%20tab)%2C%20but%20the%20good%20old%20fix%20do%20not%20apply%20on%20Windows%20Virtual%20Desktop.%20I%20have%20destroyed%20the%20hostpool%20and%20rebuilt.%20I%20have%20added%20several%20hostpools%20and%20fooled%20around%20with%20how%20I%20add%20user%20accounts%20to%20each%20hostpool%20but%20the%20results%20are%20the%20same.%20On%20every%20hostpool%20I%20deploy%20I%20have%20the%20exact%20same%20problem%20-%20accounts%20with%20admin%20rights%20logs%20right%20in%20and%20standard%20accounts%20get%20this%20error%20message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20searching%20for%20an%20answer%20but%20everything%20I%20find%20is%20related%20to%20on-prem%20RDS%20deployments%20where%20the%20attempted%20solutions%20do%20not%20apply%20to%20WVD%20-%20simply%20because%20we%20do%20not%20have%20access%20to%20the%20backend%20infrastructure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20the%20rest%20of%20our%20Azure%20deployment%20do%20not%20depend%20on%20AADDS%2C%20I%20am%20tempted%20to%20destroy%20the%20whole%20thing%20and%20start%20over.%20I%20am%20just%20a%20bit%20worried%20that%20I'll%20end%20up%20with%20the%20same%20mess%20all%20over%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20the%20long%20post%2C%20if%20anyone%20have%20the%20possibility%20to%20shed%20some%20light%20on%20this%20I%20will%20be%20forever%20grateful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073139%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20NLA%20required%20for%20user%20logins%2C%20not%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073139%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F485726%22%20target%3D%22_blank%22%3E%40HenrikBryne%3C%2FA%3E%26nbsp%3B%3A%20Can%20you%20run%20Diagnostics%20to%20get%20the%20exact%20error%20message%20for%20the%20user%3F%20Similar%20to%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-role-service%23filter-diagnostic-activities-by-activity-type%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-role-service%23filter-diagnostic-activities-by-activity-type%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20please%20run%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-ruby%22%3E%3CCODE%3E%24activities%20%3D%20Get-RdsDiagnosticActivities%20-TenantName%20%3CTENANTNAME%3E%20-ActivityType%20Connection%20-Outcome%20Failure%20-Detailed%3C%2FTENANTNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EYou%20can%20then%20expand%20%24activities%20to%20see%20individual%20items.%20If%20you%20look%20at%20a%20specific%20item%2C%20you%20can%20then%20expand%20the%26nbsp%3B%3CSTRONG%3EErrors%3C%2FSTRONG%3E%20property%20to%20see%20the%20detailed%20error%20that%20might%20indicate%20why%20the%20connections%20are%20failing.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073285%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20NLA%20required%20for%20user%20logins%2C%20not%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073285%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20user%20is%20same%20issue.%20give%20me%20follow%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20the%20issue%20is%20occur%20when%20use%20remote%20desktop%20application%20but%20not%20occur%20when%20use%20on%20browser%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073529%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20NLA%20required%20for%20user%20logins%2C%20not%20admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073529%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20just%20found%20my%20mistake..%3C%2FP%3E%3CP%3EThe%20user%20accounts%20were%20created%20before%20AADDS%20was%20deployed%2C%20and%20the%20admin%20accounts%20was%20created%20after%20the%20deployment.%20It%20seems%20there%20is%20a%20password%20hash%20sync%20issue%20in%20that%20scenario.%20Text%20from%20the%20docs%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3ETo%20authenticate%20users%20on%20the%20managed%20domain%2C%20Azure%20AD%20DS%20needs%20password%20hashes%20in%20a%20format%20that's%20suitable%20for%20NT%20LAN%20Manager%20(NTLM)%20and%20Kerberos%20authentication.%20Azure%20AD%20doesn't%20generate%20or%20store%20password%20hashes%20in%20the%20format%20that's%20required%20for%20NTLM%20or%20Kerberos%20authentication%20until%20you%20enable%20Azure%20AD%20DS%20for%20your%20tenant.%20For%20security%20reasons%2C%20Azure%20AD%20also%20doesn't%20store%20any%20password%20credentials%20in%20clear-text%20form.%20Therefore%2C%20Azure%20AD%20can't%20automatically%20generate%20these%20NTLM%20or%20Kerberos%20password%20hashes%20based%20on%20users'%20existing%20credentials.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22For%20cloud-only%20user%20accounts%2C%20users%20must%20change%20their%20passwords%20before%20they%20can%20use%20Azure%20AD%20DS.%20This%20password%20change%20process%20causes%20the%20password%20hashes%20for%20Kerberos%20and%20NTLM%20authentication%20to%20be%20generated%20and%20stored%20in%20Azure%20AD.%20You%20can%20either%20expire%20the%20passwords%20for%20all%20users%20in%20the%20tenant%20who%20need%20to%20use%20Azure%20AD%20DS%2C%20which%20forces%20a%20password%20change%20on%20next%20sign-in%2C%20or%20instruct%20them%20to%20manually%20change%20their%20passwords.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20the%20answer%20to%20all%20my%20trouble%20was%20right%20there.%20Reset%20the%20password%20(and%20re-login%20to%20PC%20with%20updated%20password)%20was%20all%20it%20took%20for%20this%20deployment%20to%20work%20perfectly.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20thank%20you%20guys%20for%20your%20answers%2C%20appreciate%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

 

Hi guys, hope you have some tips for me..

 

We deployed Azure AD Domain Services to be able to set up Windows Virtual Desktop. Cloud-only user accounts.

Deployed a host pool and the management available from GitHub - and it all looks very good - no red crosses anywhere.

Added user accounts to appgroups both using PowerShell and the management portal without noticing any difference - it looks good when I run the Get-RdsAppGroupUser commands as it lists accounts generated both ways.

 

Accounts that are member of the AAD DC Administrators logs in to the VDI perfectly, but "normal" user accounts get an error message that look like a flashback from RDS-deployments:

 

The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA..............

 

Normally this is easily fixed (System Properties - Remote tab), but the good old fix do not apply on Windows Virtual Desktop. I have destroyed the hostpool and rebuilt. I have added several hostpools and fooled around with how I add user accounts to each hostpool but the results are the same. On every hostpool I deploy I have the exact same problem - accounts with admin rights logs right in and standard accounts get this error message.

 

I have tried searching for an answer but everything I find is related to on-prem RDS deployments where the attempted solutions do not apply to WVD - simply because we do not have access to the backend infrastructure.

 

Since the rest of our Azure deployment do not depend on AADDS, I am tempted to destroy the whole thing and start over. I am just a bit worried that I'll end up with the same mess all over again.

 

Sorry for the long post, if anyone have the possibility to shed some light on this I will be forever grateful.

 

 

3 Replies
Best Response confirmed by HenrikBryne (New Contributor)
Solution

@HenrikBryne : Can you run Diagnostics to get the exact error message for the user? Similar to this: https://docs.microsoft.com/en-us/azure/virtual-desktop/diagnostics-role-service#filter-diagnostic-ac...

 

But please run

$activities = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed

You can then expand $activities to see individual items. If you look at a specific item, you can then expand the Errors property to see the detailed error that might indicate why the connections are failing. 

My user is same issue. give me follow this topic.

 

- the issue is occur when use remote desktop application but not occur when use on browser

@christianmontoya I just found my mistake..

The user accounts were created before AADDS was deployed, and the admin accounts was created after the deployment. It seems there is a password hash sync issue in that scenario. Text from the docs:

 

"To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials."

 

and

 

"For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. You can either expire the passwords for all users in the tenant who need to use Azure AD DS, which forces a password change on next sign-in, or instruct them to manually change their passwords."

 

So the answer to all my trouble was right there. Reset the password (and re-login to PC with updated password) was all it took for this deployment to work perfectly.

 

I thank you guys for your answers, appreciate it.