Why am I unable to authenticate to my WorkSpace using the WorkSpaces client?
Last updated: 2020-06-29
When I try to log in using the Amazon WorkSpaces client, I see an error message similar to the following:
"Authentication Failed: Please check your username and password to make sure you typed them correctly."
I've confirmed that the password is entered correctly. Why am I still getting this error message?
"Authentication Failed" errors that occur when the correct credentials are used are typically related to a configuration issue in Active Directory.
To troubleshoot this error, try the following:
Confirm that the directory registration code in the client matches the value associated with the WorkSpace
- Open the Amazon WorkSpaces client. From the login window, choose Settings, Manage Login Information.
- Confirm that the registration code matches the value associated with the WorkSpace in the Amazon WorkSpaces console or welcome email.
Verify that the user's Active Directory user object meets the prerequisites
- You must enable Kerberos preauthentication.
- Clear User must change password on next logon, and then confirm that the user’s password isn’t expired.
Note: If you are using Simple AD or AWS Directory Service for Microsoft Active Directory, then choose Forgot Password? from the Amazon WorkSpaces client to reset the password.
Confirm that the user object's sAMAccountName attribute wasn't modified
Amazon WorkSpaces doesn’t support modifications to the username attribute of an Active Directory user. Authentication fails if the username attributes in Amazon WorkSpaces and Active Directory don’t match.
If you have changed the sAMAccountName, you can simply change it back, and then the WorkSpace resumes working correctly.
If you must rename a user, follow these steps:
- Back up files from the user volume to an external location such as Amazon WorkDocs or Amazon FSx.
Note: Amazon WorkSpaces includes 50GB of WorkDocs storage per WorkSpaces user. For more information, see Amazon WorkDocs pricing.
- Remove the WorkSpace.
- Modify the attribute.
- Create a new WorkSpace for the user.
If you've enabled multi-factor authentication (MFA), check the logs on your RADIUS server to confirm that authentication traffic is received and approved
- This error can occur if network modifications prevent the RADIUS solution from communicating with the WorkSpace’s subnets or domain controllers.
- If you're using an AD Connector, your connector endpoints must have outbound access to both your domain controllers and your RADIUS servers. You can use VPC Flow Logs to confirm that all necessary traffic is sent to its destination.
Verify that the username doesn't contain any invalid characters
Some username character restrictions exist for Amazon Web Services (AWS) applications, including Amazon WorkSpaces. See Understand username restrictions for AWS applications to confirm that your username uses only valid characters.
If your Amazon WorkSpaces username contains invalid characters, follow these steps:
Warning: Removing a WorkSpace is a permanent action. The WorkSpace user's data doesn't persist and is destroyed.