Azure AD – Remote Desktop Connection to Azure AD Joined Computer

azure-active-directoryrdp

I'm doing some testing on a standalone (no on-prem AD sync) Azure AD test tenancy, and have set up a user (non-admin) account, installed a base Windows 10 system, and joined it to Azure AD (shows Azure AD Joined) using the user account. It appears to have created that account as a local admin, so I've enabled Remote Desktop and am attempting to log into it using the test user from my normal work computer (local AD joined, Hybrid Azure AD in production tenancy). However, I keep getting "The logon attempt failed":

On the Win10 system (the RDP "server"), in the Event Log under Applications and Services -> Microsoft -> Windows -> RemoteDesktopServices-RdpCoreTS, I can see at the same time two warnings:

Event ID 142, Category RemoteFX module: TCP socket READ operation failed, error 64

Event ID 226, Category RemoteFX module: RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).

Using WireShark on the "server" side, I can see my "client" system connecting and negotiating TLSv1.2 with Client Hello, Server Hello, and passing TLS "Application Data" from client to server, then "server" back to "client" (with ACKs sent back for each). At this point, it looks like my "client" sends a TCP RST.

I've tried the username in the following format, all result in the same error and same Wireshark RST:

name@domain
AzureAD\name@domain
.\AzureAD\name@domain

And I've also tried to connect using the the Remote Desktop store app, which gave me:

Error code: 0x9735
Extended error code: 0x0
Activity ID: {af13979d-a3b9-41c5-8205-5bab5ca60000}

I've seen several articles that indicate I need to disable NLS on both sides, but 1) that seems like a bad idea without knowing why that's required, and 2) I tried it anyway and it didn't work.

I'm out of ideas. Anyone smarter than me able to point me in the right direction?

Best Answer

I'm doing some testing on a standalone (no on-prem AD sync) Azure AD test tenancy, and have set up a user (non-admin) account, installed a base Windows 10 system, and joined it to Azure AD (shows Azure AD Joined) using the user account. It appears to have created that account as a local admin, so I've enabled Remote Desktop and am attempting to log into it using the test user from my normal work computer (local AD joined, Hybrid Azure AD in production tenancy).

That will not work, source and destination need to be in the same tenant.

For more info: https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc#set-up

Related Solutions

Remote Desktop Connection stops working when connection is closed

The crash seams to be caused by a HP dll (storeng.dll) which causes an access violation:

00 ntdll!NtWaitForMultipleObjects
01 KERNELBASE!WaitForMultipleObjectsEx
02 kernel32!WerpReportFaultInternal
03 kernel32!WerpReportFault
04 KERNELBASE!UnhandledExceptionFilter
05 ntdll!RtlUserThreadStart$filt$0
06 ntdll!_C_specific_handler
07 ntdll!RtlpExecuteHandlerForException
08 ntdll!RtlDispatchException
09 ntdll!KiUserExceptionDispatch
0a ntdll!RtlpWaitOnCriticalSection
0b ntdll!RtlpEnterCriticalSectionContended
0c storeng!IsMachineInLDAPStore
0d storeng!CloseStorageDriver
0e vchannel!VirtualChannelOpenEvent
0f mstscax!CChan::IntChannelCallCallbacks
10 mstscax!CChan::ChannelOnDisconnected
11 mstscax!CMCS::OnDisconnected
12 mstscax!CTSProtocolHandlerBase::OnDisconnected
13 mstscax!CTSX224Filter::OnDisconnected
14 mstscax!CTSProtocolHandlerBase::OnDisconnected
15 mstscax!CTscSslFilter::OnDisconnected
16 mstscax!CTSProtocolHandlerBase::OnDisconnected
17 mstscax!CTSFilterTransport::OnDisconnected
18 mstscax!CTSTransportStack::OnDisconnected
19 mstscax!CTSTcpTransport::DropLink
1a mstscax!CTSTransportStack::Disconnect
1b mstscax!CTSFilterTransport::Disconnect
1c mstscax!CTSProtocolHandlerBase::Disconnect
1d mstscax!CTSProtocolHandlerBase::Disconnect
1e mstscax!CTSX224Filter::Disconnect
1f mstscax!CMCS::Disconnect
20 mstscax!CSL::Disconnect
21 mstscax!CTSProtocolHandlerBase::Disconnect
22 mstscax!CoreFSM::StartStackDisconnection
23 mstscax!CoreFSM::CCFSMProc
24 mstscax!CoreFSM::CC_Event
25 mstscax!CoreFSM::StartShutdown
26 mstscax!CTSCoreApi::ForceShutdown
27 mstscax!CRdpBaseCoreApi::AsyncForceShutdownRecvThread
28 mstscax!CTSMsg::Invoke
29 mstscax!CTSThread::RunQueueEvent
2a mstscax!CTSThread::RunAllQueueEvents
2b mstscax!CTSThread::internalMsgPump
2c mstscax!CTSThread::internalThreadMsgLoop
2d mstscax!CTSThread::ThreadMsgLoop
2e mstscax!CRCV::RCVMain
2f mstscax!CTSThread::TSStaticThreadEntry
30 mstscax!PAL_System_Win32_ThreadProcWrapper
31 kernel32!BaseThreadInitThunk
32 ntdll!RtlUserThreadStart

BUCKET_ID:  NULL_CLASS_PTR_WRITE_AVRF_storeng!IsMachineInLDAPStore+11e1

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_WRITE_AVRF_storeng!IsMachineInLDAPStore+11e1

FAILURE_PROBLEM_CLASS:  NULL_CLASS_PTR_WRITE_AVRF

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  storeng.dll

FAILURE_FUNCTION_NAME:  IsMachineInLDAPStore

FAILURE_SYMBOL_NAME:  storeng.dll!IsMachineInLDAPStore

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_WRITE_AVRF_c0000005_storeng.dll!IsMachineInLDAPStore

    Image path: C:\Program Files\Hewlett-Packard\SimplePass\storeng.dll
    Image name: storeng.dll
    Browse all global symbols  functions  data
    Timestamp:        Mon Oct 14 18:23:32 2013 (525C1A84)
    CheckSum:         000B720E
    ImageSize:        000AD000
    File version:     8.0.0.57
    Product version:  8.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Hewlett-Packard
    ProductName:       HP SimplePass
    InternalName:     storeng.dll
    OriginalFilename: storeng.dll
    ProductVersion:   8.0
    FileVersion:      8.0.0.57
    FileDescription:  Storage Engine Dll
    LegalCopyright:   Copyright(C) 2001 - 2013 Softex Inc.

Try to update this DLL.

AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device

I understand your frustration with this. I just spent about 20 hours troubleshooting problems with automatic AAD joining. I am running the latest version of AD Connect, and am running an ADFS farm on Server 2016. I did NOT let AD Connect configure my ADFS servers.

I had the exact same error. The issue was a missing ImmutableID claim. This link proved to be the best resource for setting up azure AD join: https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

There is a script listed there to automatically add the necessary claim rules. Now that i practically understand this whole process inside and out, I can say that the script actually does work and adds the correct claims rules.

However, what is misleading is how to configure the couple of variables in the script. So, I thought I would clarify based on my learning, hopefully it will save somebody some time.

$MultipleVerifiedDomainNames: The description and name is both WRONG and MISLEADING. Set this to $TRUE only if you have MULTIPLE FEDERATED DOMAINS in your Office 365 tenant.
$immutableIDAlreadyIssuedforUsers: If the Immutable ID (Source Anchor) for your AD Connect synchronization does NOT use objectGUID then set this to $TRUE.
$oneOfVerifiedDomainNames: If you set $MultipleVerifiedDomainNames to $true, then set this to the Office 365 verified domain name that you want your devices to register to.

Do not change any other components of the script, and make sure you only run it once. If you need to run it again, you need to manually remove the added claims issuance rules from the RP trust or they will be duplicated.

Another very helpful thing to know when it comes to troubleshooting on Windows 10, use DSREGCMD. It has to run as SYSTEM so you'll need something like PSEXEC.

psexec -i -s cmd.exe

dsregcmd /debug

This will force an immediate registration to Azure, and report detailed information about the failure. During my testing, Windows 7 worked fine, but Windows 10 would not AD join. If the ImmutableID is the problem you'll see the error is: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

If, you included a verified domain when you shouldn't have or it's wrong you'll see: AADSTS50107: Requested federation realm object your specified domain does not exist.

Best Answer

Related Solutions

Remote Desktop Connection stops working when connection is closed

AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device

Related Topic