AADLoginForWindows: Unable to Login

Question

I have a VM in an Azure sub on which I've enabled AADLoginForWindows using the Azure CLI as outlined here: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

My Azure account is part of a group that's been assigned the Virtual Machine Administrators role on the VM.

When trying to login using RDP, I receive an error stating "Your credentials didn't work."

Running through the troubleshooting steps as outlined here (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-deployment-issues), I've established the following using a non-AzureAD account (local admin account) to login:

• The extension has installed successfully: Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: 0 Plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version: 1.0.0.1) completed successfully.
• http://169.254.169.254/metadata/instance?api-version=2017-08-01 returns the correct Virtual Machine details
• http://169.254.169.254/metadata/identity/info?api-version=2018-02-01 returns the correct Tenant Id
• http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01 returns a valid token
• curl https://login.microsoftonline.com/ -D - returns an HTTP302 (expected)
• curl https://login.microsoftonline.com/<TenantID>/ -D - (I have replaced my tenant ID) returns an HTTP404 (not expected)
• curl https://enterpriseregistration.windows.net/ -D - returns an HTTP404 (expected)
• curl https://device.login.microsoftonline.com/ -D - returns an HTTP200 (expected)
• curl https://pas.windows.net/ -D - returns an HTTP404 (expected)
• dsregcmd /status shows AzureAdJoined : YES (expected)
• dsregcmd /status shows AzureAdPrt : NO (expected, since I'm now logged in as a local user)
• My password is not expired

Checking the Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational log, there are a couple of errors (not necessarily in the correct order):

1. > Http request status: 400. Method: POST Endpoint Uri: https://login.microsoftonline.com/<my_tenant_id>/oauth2/token Correlation ID: <some_guid>

2. > OAuth response error: invalid_resource > Error description: AADSTS500011: The resource principal named <some_guid> was not found in the tenant named <my_tenant_name>. This can happen if the application has > not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. > Trace ID: <some_guid> > Correlation ID: <some_guid> > Timestamp: <some_timestamp> > CorrelationID: <some_guid>

3. > AAD Cloud AP plugin call GenericCallPkg returned error: 0xC000008A

4. > Error: 0x4AA50081 An application specific account is loading in cloud joined session. > Logged at ClientCache.cpp, line: 374, method: ClientCache::LoadPrimaryAccount.

5. > AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3

Please assist.

Answer 1

@Marcel du Preez any update? I have the exactly same problem.

Answer 2

Would love an update on this one and how it was solved?