Why am I unable to authenticate to my WorkSpace using the WorkSpaces client?

Last updated: 2021-09-16

When I try to log in using the Amazon WorkSpaces client, I see an error message similar to the following:

"Authentication Failed: Please check your username and password to make sure you typed them correctly."

I've confirmed that the password is entered correctly. Why am I still getting this error message?

Resolution

"Authentication Failed" errors that occur when the correct credentials are used are typically related to a configuration issue in Active Directory.

To troubleshoot this error, try the following:

Confirm that the directory registration code in the client matches the value associated with the WorkSpace

  1. Open the Amazon WorkSpaces client. From the login window, choose Settings, Manage Login Information. Note the registration code.
    Note: If you have multiple registration codes, close the pop-up window, and then choose Change Registration Code.
  2. Confirm that the registration code matches the value associated with the WorkSpace in the Amazon WorkSpaces console or welcome email.
    Note: To find the registration code from the console, open the Amazon WorkSpaces console to see a list of WorkSpaces in the selected Region. Choose the arrow next to the WorkSpace ID to show WorkSpace details, and then note the Registration Code.

Verify that the user's Active Directory user object meets the prerequisites

  • You must use Kerberos preauthentication.
  • Clear User must change password on next logon.
  • Run the following command to confirm that the user’s password isn’t expired, replacing username with your value:
net user username /domain

If you use Simple AD or AWS Directory Service for Microsoft Active Directory, then choose Forgot Password? from the Amazon WorkSpaces client to reset the password.

Confirm that the user object's sAMAccountName attribute wasn't modified

Amazon WorkSpaces doesn’t support modifications to the username attribute of an Active Directory user. Authentication fails if the username attributes in Amazon WorkSpaces and Active Directory don’t match.

If you changed the sAMAccountName, you can simply change it back, and then the WorkSpace resumes working correctly.

If you must rename a user, follow these steps:

Warning: Removing a WorkSpace is a permanent action. The WorkSpace user's data doesn't persist and is destroyed.

  1. Back up files from the user volume to an external location such as Amazon WorkDocs or Amazon FSx.
  2. Remove the WorkSpace.
  3. Modify the attribute.
  4. Launch a new WorkSpace for the user.

Verify that the username attribute doesn't contain characters that are not valid

Some username attribute character restrictions exist for Amazon Web Services (AWS) applications, including Amazon WorkSpaces. See Understand username restrictions for AWS applications to confirm that your username attribute uses only valid characters.

If your Amazon WorkSpaces username attribute contains characters that are not valid, follow these steps:

Warning: Removing a WorkSpace is a permanent action. The WorkSpace user's data doesn't persist and is destroyed.

  1. Back up files from the user volume to an external location such as Amazon WorkDocs or Amazon FSx.
  2. Remove the WorkSpace from your AWS account.
  3. Rename the username attribute in your domain using valid characters. Use the Active Directory Users and Computers tool to find the user. Open the context (right-click) menu for the user, and then choose Properties. From the Account tab, be sure to rename both User logon name and User logon name (pre-Windows 2000).
  4. Launch a new WorkSpace with the new username attribute.

If you're using multi-factor authentication (MFA), check the logs on your RADIUS servers to confirm that authentication traffic is received and approved

  • This error can occur if network modifications prevent the RADIUS solution from communicating with the Amazon WorkSpaces' domain controllers.
  • If you're using an AD Connector, your connector endpoints must have outbound access to your domain controllers and your RADIUS servers. You can use VPC Flow Logs to confirm that all necessary traffic is sent to its destination.

Verify that there isn't a time difference of more than 5 minutes across involved parties

Authentication is very sensitive to time differences with all involved parties. All domain controllers in the domain, the RADIUS servers (if used), the WorkSpace instance, and the service itself must be in sync with each other.

  • If you're using MFA, then verify that the clock on all RADIUS servers is in sync with a reliable time source (for example, pool.ntp.org).
  • If the directory is customer-managed (AD Connector), then verify that every domain controller is in sync with a reliable time source.
  • If you suspect that the time on the WorkSpace is inaccurate, reboot the WorkSpace. A reboot re-synchronizes the WorkSpace with an atomic clock. After a few minutes, the WorkSpace also re-synchronizes with a domain controller.
  • Run the following commands to verify the time against a reliable time source:

Linux:

ntpdate -q -u pool.ntp.org
Windows:
w32tm.exe /stripchart /computer:pool.ntp.org


Did this article help?


Do you need billing or technical support?