Azure Virtual Desktop - Can only connect using Azure Remote Desktop downloaded client but not from web nor Mac client

Question

HI all, I have scoured the internet for a solution for this issue. WE have an AADDS joined AVD Session host which currently works fine to allow users to connect to session via the Azure Virtual Desktop client download. It does Not work from the Microsoft Store app nor Apple Store app nor the web client. All of these fail authentication and I see it popping up in the logs of the session host.

I have definitely:

-assigned the Virtual Machine User Login role-based access control (RBAC) permission to the virtual machine (VM) or resource group for each user
-Conditional Access policy excludes multi-factor authentication requirements for the Azure Windows VM sign-in cloud application

-ensured that I am NOT using istargetaadjoined:1 in RDP properties and have played with trying to turn credssp on and off from the host pool and have left aad single sign on disabled.

I noticed that when I do get logged in to the session host, it logs an impersonation authentication success.

The main issue is I need to get the Macs logged in and the downloaded remote desktop client for Azure Virtual Desktop is Windows only. This is really bothersome because I read that one can connect from the Mac and it is supported. I'm not sure where else to look here. I have the log of the web client that throws a credssp error

2023-08-10T05:25:13.248Z Core telemetry event: eventName=CredSSPState, traceMessage=CredSSP Handshake packet received
2023-08-10T05:25:13.251Z Connection(ERR): The connection generated an internal exception with disconnect code=LogonFailed(10006), extended code=<null>, reason=CredSSP error: The server reported error code -1073741715
 Thrown in thread 1153916 at:
    credsspstate.cpp(245)
Call Stack:
        at invoke_iiiiii
        at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[9289]:0x5c0bae
        at invoke_vii
        at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[9288]:0x5c0446 

    connection.cpp(1820): OnException()
at Logger.a.errorWithoutTimestamp (https://client.wvd.microsoft.com/arm/webclient/js/client.95fffd1c.js:1:3454),at Function.<anonymous> (https://client.wvd.microsoft.com/arm/webclient/js/client.95fffd1c.js:9:14780),at methodCaller_emscripten$$val_$emscripten$$val_emscripten$$val$ (eval at new_ (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:207926), <anonymous>:6:26),at __emval_call_method (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:229618),at invoke_diiiii (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:264225),at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[8394]:0x46ff85,at invoke_viii (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:261368),at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[1466]:0xdf6f9,at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[1808]:0x10ec35,at invoke_vii (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:261531),at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[7773]:0x3a74c1,at invoke_vii (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:261531),at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[734]:0x68616,at OnMessageCallback.OnMessageCallback$Invoke [as Invoke] (eval at new_ (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:207926), <anonymous>:9:1),at Worker.<anonymous> (https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.0e182dbd.js:86:25891)
2023-08-10T05:25:13.252Z Core telemetry event: eventName=ConnectionException, traceMessage=An exception has occurred. Details: disconnect code=LogonFailed(10006), extended code=<null>, reason=CredSSP error: The server reported error code -1073741715
 Thrown in thread 1153916 at:
    credsspstate.cpp(245)
Call Stack:
        at invoke_iiiiii
        at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[9289]:0x5c0bae
        at invoke_vii
        at https://client.wvd.microsoft.com/arm/webclient/librdp/html/librdphtml.dde6ed77.wasm:wasm-function[9288]:0x5c0446 

Answer 1

It looks like you've provided a detailed description of the issue you're facing with Azure Virtual Desktop (AVD) and the authentication errors you're encountering while trying to connect from various clients. The error you're seeing, "CredSSP error: The server reported error code -1073741715," is related to the Credential Security Support Provider (CredSSP) protocol which is used for authentication in Remote Desktop Protocol (RDP) sessions.

Here are a few steps you might consider to troubleshoot and potentially resolve the issue:

1. Check System Updates and Settings: Make sure that the AVD session host, DC, as well as the client devices, have the latest system updates and patches. Ensure that CredSSP is correctly configured on both ends.

Review CredSSP Configuration: Double-check that the CredSSP configuration on both the AVD session host and the client devices is set appropriately. Make sure that it's not enforcing Network Level Authentication (NLA) if that's causing issues.

Check Time Synchronization: Ensure that the time and time zone settings are consistent across all systems (AVD session host and client devices). Time differences can sometimes lead to authentication failures.

1. Review Group Policies: Group Policies on the AVD session host or client devices might be affecting the authentication process. Make sure there are no conflicting policies that could impact CredSSP.
2. Look at this references to resolve RDP authentication error due to the CredSSP encryption: https://www.layerstack.com/resources/tutorials/How-to-resolve-RDP-authentication-error-due-to-the-CredSSP-encryption-oracle-remediation-on-Windows-OS

Since this issue seems to be specific to different client types (Microsoft Store app, Apple Store app, web client), it's important to ensure that your AVD environment is correctly configured to handle authentication from various sources. Be sure to carefully review the documentation for AVD and the specific clients you're using to connect, as sometimes there might be client-specific settings or requirements.