cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Virtual Desktop authentication loop

GuyMathieuSupport
Copper Contributor

‎Jul 07 2023 07:29 AM

‎Jul 07 2023 07:29 AM

Azure Virtual Desktop authentication loop

Hello,

 

I have created my first Azure Virtual Desktop deployment. When I try to connect to a session host using the Azure Virtual Desktop Preview client, I get in an authentication loop where I get prompted to select my Azure AD account.

 

The problem is similar to what is documented here AzureAD SSO appears to break with the exception that my account is not member of the local Administrators group and that I am in a pure Azure AD environment (there is no onprem ADDS or Azure ADDS in my technological environment).

 

Here are the details of my setup:

 

In Azure AD web console:

- Created UserGroup1

- Added User1 to UserGroup1

- Assigned "Virtual Machine User Login" role to UserGroup1 on Resource group where the below Azure Virtual Desktop resources are created.

 

- Created a Hostpool (Personal desktop)

- Added 2 Session host to Hostpool (Azure AD Joined, Intune enrolled, Automatic user assignment)

 

- Created Application group

- Assigned Application group to Hostpool

- Assigned a UserGroup1 to Application group

 

- Created a Workspace

- Assigned Application group to Workspace

 

- Selected "Connection will use Azure AD authentication to provide single sign-on" in Connection information tab of RDP Properties of Hostpool

- Added targetisaadjoined:i:1 in Advanced tab of RDP Properties of Hostpool

 

On client computer:

- Installed Azure Virtual Desktop Preview app from Microsoft Store (version 1.2.4419.0)

- Launched Azure Virtual Desktop Preview app (connected to Workspace automatically, Session host appears)

- Tried to access Session host (At this point, I enter in an authentication loop where I have to select my Azure AD account.)

 

- Launched Microsoft Edge (Azure AD account profile selected)

- Accessed https://client.wvd.microsoft.com/arm/webclient/v2/index.html (connected to Workspace automatically, Session host appears)

- Tried to access Session host (At this point, I get the "Sign in failed. Please check your username and password and try again." error message. I am unable to enter other credential information since SSO is enabled. Access to other web resources using Azure AD SSO are working proving that my credentials information are OK.)

 

Things I have checked:

- User1 get automatically assigned to the first Session host in the Host pool

- I can log on using the local Virtual Machine administrator if I disable Azure SSO by selecting "Connection will not use Azure AD single sign-on" in Connection information tab of RDP Properties of Hostpool

- Legacy per-user multi-factor authentication sign-in method is disabled

- Azure Windows VM Sign-In (372140e0-b3b7-4226-8ef9-d57986796201) and Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) are excluded from MFA Conditional Access policy (logs do not show that the user authentication is blocked by MFA)

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID=1 on Session host and client computer

- Session host can reach the URL listed in the "Troubleshoot deployment problems" section of Log in to a Windows virtual machine in Azure by using Azure AD including passwordless

- Client computer meets the requirements described in the "Access Azure AD-joined VMs" section of Deploy Azure AD-joined virtual machines in Azure Virtual Desktop

- Intune does not apply any configuration on Session host (Session host shows as compliant in Intune console)

 

 

I perused Microsoft documentation, and I cannot find why SSO connection to Session host is not working with the setup described above. Anyone knows which configuration might be missing?

 

Thanks

10.9K Views
0 Likes
8 Replies
Reply
8 Replies
MathieuVandenHautte

‎Jul 09 2023 04:47 AM - edited ‎Jul 09 2023 04:49 AM

‎Jul 09 2023 04:47 AM - edited ‎Jul 09 2023 04:49 AM

Re: Azure Virtual Desktop authentication loop

Hi GuyMathieuSupport,

Can you try this action plan?

1. Rename the folder "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" to "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old"
2. Login to Windows. A clean Microsoft.AAD.BrokerPlugin-folder should be created
3. Try to sign-in again

Please note that renaming this folder requires the user to be logged off. The renaming can for example be done via another (administrative) account.

0 Likes
Reply
GuyMathieuSupport

‎Jul 10 2023 06:46 AM

‎Jul 10 2023 06:46 AM

Re: Azure Virtual Desktop authentication loop

@MathieuVandenHautte Thanks for the quick response. I renamed the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy directory using a local administrator account while the user was not logged in. Unfortunately, it did not solve my problem. I still can't log in on a Azure Virtual Desktop.

0 Likes
Reply
MathieuVandenHautte

‎Jul 10 2023 08:47 AM - edited ‎Jul 10 2023 08:53 AM

‎Jul 10 2023 08:47 AM - edited ‎Jul 10 2023 08:53 AM

Re: Azure Virtual Desktop authentication loop

Hi GuyMathieuSupport,

Can you check the event viewer logs on the Windows clients for error codes regarding the Azure Virtual Desktop Client?


I would also recommend using the GA Azure Virtual Desktop Client in production (not the Microsoft Store public preview version):
https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows

If this does not solve the issue, please contact Azure support. They can run extended diagnostics in the backend to determine the cause of your issue.

0 Likes
Reply
GuyMathieuSupport

‎Jul 10 2023 11:31 AM - edited ‎Jul 10 2023 11:37 AM

‎Jul 10 2023 11:31 AM - edited ‎Jul 10 2023 11:37 AM

Re: Azure Virtual Desktop authentication loop

Using the GA client does not solve the problem. There is no error in the Event Viewer on the client. I can only log on with the local admin account. To do so, I need to disable Azure AD SSO.

I notice that an Event ID 4625 is logged in the Security event log of the VM every time I try to connect with an Azure AD account. The Failure Information of the event are:
Failure reason: An Error occured during Logon
Status: 0xC000006D
Sub Status: 0xC0000250

I have not found any useful information regarding the SubStatus. (https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)

I am unable to log on with an Azure AD account even when SSO is disabled. I tried these different ways to enter the username, and none are working:
- email address removed for privacy reasons
- AzureAD\email address removed for privacy reasons
- tenant.onmicrosoft.com\email address removed for privacy reasons
- tenant.onmicrosoft.com\email address removed for privacy reasons

I know the VM is Azure AD joined as there is a device object in AzureAD that has the name of the SessionHost. There is a "Client Authentication" certificate issued by "MS-Organization-Access" which is issued to the GUID corresponding to the Device ID of the VM's device object in Azure AD.

The user is a member of the "Remote Desktop Users" local group in the VM.

As you have suggested, I'll contact Microsoft to try to solve this issue.

Thanks for your time @MathieuVandenHautte

0 Likes
Reply
parthpatel206

‎Jul 13 2023 02:28 AM

‎Jul 13 2023 02:28 AM

Re: Azure Virtual Desktop authentication loop

@GuyMathieuSupport 
Can you please reset the password (change the password to a new password)  of a user from Azure AD online and try?

 

Make sure that after resetting the user password, you first "Unsubscribe" from the "Azure Virtual Desktop Preview" and subscribe again with new password.

 

Let me know if it works or not.

0 Likes
Reply
EtienneBarnardt

‎Aug 13 2023 09:55 PM

‎Aug 13 2023 09:55 PM

Re: Azure Virtual Desktop authentication loop

@GuyMathieuSupport 

 

Did you manage to resolve this , exactly the same issue in every way 

All works if you disable SSO

Checked and rechecked all requirements for SSO example Kerbros server , 

It goes into an authentication loop.

 

Did exclude Azure Virtual Desktop VM and RDP from GA.

Did check SSO pre-requisites

 

Condigured Virtual Machine User Login for Azure AD join AVD

 

Checked hostpool and have rdsaadauth:i:1 & targetisaadjoined:i:1 under advanced 

 

My test account is not a protected user in AD and has no adin roles - its a normal user

 

Driving me nuts

 

0 Likes
Reply
David Belanger

‎Aug 23 2023 08:38 AM

‎Aug 23 2023 08:38 AM

Re: Azure Virtual Desktop authentication loop

@EtienneBardardt and @GuyMathieuSupport, did you review the Azure AD sign-in logs to see if there are any policies that might be impacting the user sign in?
0 Likes
Reply
mccannjake

‎Jan 24 2024 07:33 PM

‎Jan 24 2024 07:33 PM

Re: Azure Virtual Desktop authentication loop

Hi,

I had the same issue, and I needed to exclude the application "Azure Windows VM Sign-In" from some of my conditional access policies. (For me, it was limiting to trusted IP's.)

https://cloudbrothers.info/en/the-case-of-signin-method-isnt-allowed/
0 Likes
Reply