Connecting with Azure Virtual Desktop to session host joined to a different domain
I have an Azure Virtual Desktop system with a variety of hosts (both RemoteApp and Desktop) that have been working well.
I also have a small network and domain for developers with a session host I would like devs to be able to reach through an AVD connection. Both the devs domain and the corp domain are using Windows Server AD domain controllers (not Azure AD)
The problem I'm experiencing is that I can't figure out how to make the session host prompt the user for their credentials on the devs domain, which won't match their AD credentials for the corp domain. I want to manage access to the AVD resource via the corp domain credentials, but allow them to enter their devs domain credentials to log into the session host. Other threads I've read seem to indicate this is possible but I haven't had success making the connection yet.
Currently they get a fairly generic error from AVD about 'couldn't connect to the resource' but I know it is at least reaching all the way through to the session host because when I look in Event Viewer on it I see this RDP error
AddUserToLocalGroupAndResolveSidAsync GetUpnFromSidAsync: ex=System.Exception: The service couldn't map the user's Azure Active Directory account name to a security ID ≤S-1-5-...etc≥.
That seems to indicate Windows is trying to do something with AD credentials attached to the connection, but I only want Windows to use credentials input by the user after connection is made.
So far what I've tried is toggling these RDP properties on and off in the AVD hostpool:
- promptcredentialonce
- enablerdsaadath
- targetisaadjoined
None of these seem to have any effect on the behavior. What might I be missing?