@Marcel du Preez any update? I have the exactly same problem.
AADLoginForWindows: Unable to Login
I have a VM in an Azure sub on which I've enabled AADLoginForWindows using the Azure CLI as outlined here: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
My Azure account is part of a group that's been assigned the Virtual Machine Administrators role on the VM.
When trying to login using RDP, I receive an error stating "Your credentials didn't work."
Running through the troubleshooting steps as outlined here (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-deployment-issues), I've established the following using a non-AzureAD account (local admin account) to login:
- The extension has installed successfully: Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: 0 Plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version: 1.0.0.1) completed successfully.
- http://169.254.169.254/metadata/instance?api-version=2017-08-01 returns the correct Virtual Machine details
- http://169.254.169.254/metadata/identity/info?api-version=2018-02-01 returns the correct Tenant Id
- http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01 returns a valid token
- curl https://login.microsoftonline.com/ -D - returns an HTTP302 (expected)
- curl https://login.microsoftonline.com/<TenantID>/ -D - (I have replaced my tenant ID) returns an HTTP404 (not expected)
- curl https://enterpriseregistration.windows.net/ -D - returns an HTTP404 (expected)
- curl https://device.login.microsoftonline.com/ -D - returns an HTTP200 (expected)
- curl https://pas.windows.net/ -D - returns an HTTP404 (expected)
- dsregcmd /status shows AzureAdJoined : YES (expected)
- dsregcmd /status shows AzureAdPrt : NO (expected, since I'm now logged in as a local user)
- My password is not expired
Checking the Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational log, there are a couple of errors (not necessarily in the correct order):
1. > Http request status: 400. Method: POST Endpoint Uri: https://login.microsoftonline.com/<my_tenant_id>/oauth2/token Correlation ID: <some_guid>
2. > OAuth response error: invalid_resource > Error description: AADSTS500011: The resource principal named <some_guid> was not found in the tenant named <my_tenant_name>. This can happen if the application has > not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. > Trace ID: <some_guid> > Correlation ID: <some_guid> > Timestamp: <some_timestamp> > CorrelationID: <some_guid>
3. > AAD Cloud AP plugin call GenericCallPkg returned error: 0xC000008A
4. > Error: 0x4AA50081 An application specific account is loading in cloud joined session. > Logged at ClientCache.cpp, line: 374, method: ClientCache::LoadPrimaryAccount.
5. > AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3
Please assist.
2 answers
Sort by: Most helpful
-
-
Phillip Baaten 0 Reputation points
2023-08-08T01:40:11.4133333+00:00 Would love an update on this one and how it was solved?