Unable to Login to Azure Virtual Desktop Session host

If you have recently set up an Azure Virtual Desktop (AVD) environment and are attempting to log in to a session host through the Windows Desktop Client application or the web client, you may encounter the following error messages.

Users can connect to AVD via a web client, by installing the Remote Desktop Client, or by using a Windows App. In this blog post, we will explore these error messages and provide solutions to resolve them.

Error 1

When attempting to connect to an Azure Virtual Desktop system through a web browser. You may get the below error message:

Oops, we couldn’t connect to “SessionDesktop”. We couldn’t connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help.

Oops, we couldn't connect to SessionDesktop
Oops, we couldn’t connect to SessionDesktop

Error 2

Oops, we couldn’t connect to “SessionDesktop”. Sign in failed. Please check your username and password and try again.

Oops, we couldn't connect to "SessionDesktop". Sign in failed. Please check your username and password and try again.
Oops, we couldn’t connect to “SessionDesktop”. Sign-in failed. Please check your username and password and try again.

Error 3

You might encounter the following error message when attempting to connect to your session desktop using the Windows desktop client installed on your computer. After entering your username and password, it proceeds to authenticate your session but fails, resulting in the following error code.

An error occurred while accessing this resource. Retry the connection or contact your system administrator.

  • Error Code: 0x3000047
  • Extended error code: 0x0
Error Code: 0x3000047
Error Code: 0x3000047

Solution

Before proceeding to the fix, please ensure if the following requirements are met:

  1. The local PC is Entra joined to the same Entra ID tenant as the session host.
  2. The local PC is Entra hybrid joined to the same Entra ID tenant as the session host.
  3. The local PC runs Windows 11 or 10, version 2004 or later, and is Entra ID registered to the same Entra ID tenant as the session host.

To enable access from Windows devices not joined to Entra ID. Add targetisaadjoined:i:1 as a custom RDP Property to the host pool.

Add targetisaadjoined:i:1 RDP Property

Follow the below steps to add targetisaadjoined:i:1 RDP property to the host pool:

  • Sign in to the Azure portal.
  • Browse to Azure Virtual Desktop and then Find the Host pool
  • On the left-hand side, you will see RDP Properties
  • RDP Properties > Then Find Advanced tab
  • In the RDP Properties box you need to enter a semicolon (;) and then type targetisaadjoined:i:1

You can refer to below screenshot which shows targetisaadjoined:i:1 RDP property in a host pool.

targetisaadjoined:i:1
targetisaadjoined:i:1

Virtual Machine User Login Role Assignment

To ensure a user can use the virtual machines, add them to the Virtual Machine User Login role for each virtual machine. Here’s how you can do it:

  • Sign in to the Azure Portal.
  • Search for Virtual Machine and click on it to Open.
  • On the left-hand side, find Access control (IAM).
  • Click on Add > Add role assignment.
Virtual Machine User Login Role
Virtual Machine User Login Role
  • Search for the Virtual Machine User Login role and then click on Members.
Virtual Machine User Login Role
Virtual Machine User Login Role
  • You can add an individual user to this role or include a group that will grant permissions to all Virtual Machine User Login group members. Click on Review + assign to finish assigning the role.
Virtual Machine User Login Role
Virtual Machine User Login Role

Conclusion

In this blog post, we’ve discussed various errors that can occur when connecting to Azure Virtual Desktop and provided solutions to help you resolve them. If you’re still unable to fix the issue after trying these solutions, it’s recommended that you open a support ticket with Microsoft for further assistance.

1 thought on “Unable to Login to Azure Virtual Desktop Session host”

  1. I have an issue related to this but the system is not AzureAD joined or registered. It is also not hybrid. The registered apps are on systems in their own domain and have an rds server that manages user cals. FOr some reason, our test user can attempt to access apps successfully since it gets prompted for credentials BUT any other user fails immediately.

    Reply

Leave a Comment