Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,522 questions
Connecting with Azure Virtual Desktop to session host joined to a different domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 47%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Crogger
0
Reputation points
I have an Azure Virtual Desktop system with a variety of hosts (both RemoteApp and Desktop) that have been working well.
I also have a small network and domain for developers with a session host I would like devs to be able to reach through an AVD connection. Both the devs domain and the corp domain are using Windows Server AD domain controllers (not Azure AD)
The problem I'm experiencing is that I can't figure out how to make the session host prompt the user for their credentials on the devs domain, which won't match their AD credentials for the corp domain. I want to manage access to the AVD resource via the corp domain credentials, but allow them to enter their devs domain credentials to log into the session host. Other threads I've read seem to indicate this is possible but I haven't had success making the connection yet.
Currently they get a fairly generic error from AVD about 'couldn't connect to the resource' but I know it is at least reaching all the way through to the session host because when I look in Event Viewer on it I see this RDP error
AddUserToLocalGroupAndResolveSidAsync GetUpnFromSidAsync: ex=System.Exception: The service couldn't map the user's Azure Active Directory account name to a security ID ≤S-1-5-...etc≥.
That seems to indicate Windows is trying to do something with AD credentials attached to the connection, but I only want Windows to use credentials input by the user after connection is made.
So far what I've tried is toggling these RDP properties on and off in the AVD hostpool:
- promptcredentialonce
- enablerdsaadath
- targetisaadjoined
None of these seem to have any effect on the behavior. What might I be missing?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Nikhil Duserla 2,105 Reputation points Microsoft Vendor2024-09-09T09:47:32.15+00:00 Hi @Crogger,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
We understand from your query that you are experiencing an issue, and it looks like you want developers to use their devs domain credentials to log into a session host in their domain via Azure Virtual Desktop (AVD), even though you’re managing access with corp domain credentials. The problem is that the session host isn't prompting for the devs domain credentials.
Configuring the session host to trust the devs domain and editing the group policies to allow credential delegation is a great approach to achieve the desired behavior.
By adding the devs domain to the list of trusted domains on the session host, you are enabling it to authenticate users with their devs domain credentials. This step is essential for allowing the session host to prompt users to enter their devs domain credentials when they log in.
Editing the group policies on the session host to configure credential delegation is also essential. The "Allow delegating fresh credentials with NTLM-only server authentication" policy will enable the session host to delegate the user's credentials to the devs domain for authentication.
Configuring the policies: To configure these policies, you'll need to edit the group policies on the session host using the
secpol.mscconsole.Here are the steps:
- Open the
secpol.mscconsole on the session host. - Navigate to the "Local Policies" section.
- Click on "Security Options" and enable them.
Note: Make sure to test the solution after configuring these policies to ensure that the session host is properly authenticating users with their devs domain credentials.
If you have any further queries, do let us know.
- Open the
-
Nikhil Duserla 2,105 Reputation points Microsoft Vendor
2024-09-10T03:54:01.5866667+00:00 Hi @Crogger,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.
Thank you!
-
Nikhil Duserla 2,105 Reputation points Microsoft Vendor
2024-09-11T02:35:00.47+00:00 Hi @Crogger,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.
Thank you!
-
Crogger 0 Reputation points
2024-09-11T15:34:32.6866667+00:00 Thanks Nikhil,
I could not find the "Allow delegating fresh credentials with NTLM-only server authentication" setting in secpol.msc, but I did find it in
gpedit.msc > Local Computer Policy > Administrative Templates > System > Credentials Delegation
That definitely sounded promising -- I have switched it to 'Enabled' and added TERMSRV/* to the list of allowed SPNs within the rule parameters.
It does not appear to have made a difference so far. I still see the error "The service couldn't map the user's Azure Active Directory account name to a security ID" from Microsoft.RDInfra.RDAgent.Service.Services.AgentOrchestrationService, when I try to connect through AVD
One part I'm not clear on is where you said
By adding the devs domain to the list of trusted domains on the session host, you are enabling it to authenticate users with their devs domain credentials.
The session host is joined to the devs domain, so wouldn't it inherently be trusted? If not, where is this list so I can add it? Thank you
-
Crogger 0 Reputation points
2024-09-11T15:50:17.96+00:00 Edit: Duplicated comment
-
Nikhil Duserla 2,105 Reputation points Microsoft Vendor
2024-09-13T02:09:14.33+00:00 Hi @Crogger,
Thank you for sharing information. We will be checking with our internal team and will get back to you soon.
-
Nikhil Duserla 2,105 Reputation points Microsoft Vendor
2024-09-19T04:14:23.38+00:00 Hi @Crogger,
Thank you for your patience. We have discussed with our internal team.
When running a virtual machine on Azure that's joined to a domain, it uses that domain's Active Directory (AD) for user authentication. If you want users from a different domain to access this VM, you must set up a trust relationship between the two domains.
For Azure Virtual Desktop (AVD), if your session host VMs are in one domain and you want users from another domain to authenticate, you'll need to establish this trust relationship.
To do this, configure the necessary trust settings in Active Directory, which may involve creating a one-way or two-way trust, depending on your requirements.
Additionally, ensure that users from the dev domain are synced to the Azure AD tenant linked to your AVD setup using Azure AD Connect.
Any other configurations wouldn't suit your requirements.
If you have any further queries, do let us know.
Sign in to comment
Sign in to answer