Why am I unable to access my WorkSpace using the WorkSpaces client?

Last updated: 2020-01-30

I tried to log in to Amazon WorkSpaces using the client, but I received an error when trying to connect to my desktop. I've confirmed that the WorkSpace is running. What issues usually cause these error messages? 

Short Description

The Amazon WorkSpaces client depends on many special services and network settings. When the client fails to load the WorkSpace, that failure is usually because one of these prerequisites is incorrectly configured or unavailable.

Resolution

The following information shows the most common errors, their common causes, and troubleshooting guidance:

After authenticating, the Amazon WorkSpaces client expands and displays a gray "Loading..." screen for a while before returning to the login screen. No other error message appears.

This error usually indicates that the Amazon WorkSpaces client can authenticate over port 443, but can’t establish a streaming connection over port 4172. This can happen when network prerequisites aren’t met. Issues on the client side often cause the network check in the bottom-right corner of the client to fail. Click the icon (typically a red triangle with an exclamation point) to see which health checks are failing.

Note: The most common cause is a client-side firewall or proxy preventing access over port 4172 (TCP and UDP). If this health check fails, check your local firewall settings.

If the network check passes, this often indicates a problem with network configuration on the WorkSpace. For example, a Windows Firewall rule might block port UDP 4172 on the management interface. Connect to the WorkSpace using a Remote Desktop Protocol (RDP) client to verify that the WorkSpace meets the same port requirements.

"WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes.”

This error usually indicates that the SkyLightWorkSpacesConfigService service isn’t responding to health checks.

If you just rebooted or started your WorkSpace, wait a few minutes, and then try again.

If the WorkSpace has been running for some time and you still see this error, verify that the SkyLightWorkSpacesConfigService service:

  • is running
  • is set to start automatically
  • can communicate over the management interface (eth0)
  • isn't blocked by any third-party antivirus software

To verify that the SkyLightWorkSpacesConfigService service meets the above requirements, follow these steps:

1.    Connect using RDP.

2.    Open Windows PowerShell, and then run the following command:

netstat -ano | findstr "8200"

This should return the following: 

TCP Management_IP_Address_Of_WorkSpace:8200 0.0.0.0:0

If the command doesn't return the above entry, verify that SkyLightWorkSpacesConfigService is running. If it is stopped, start it. Within a minute, the service begins listening on TCP port 8200 for your WorkSpace's private IP address.

"An error occurred while launching your WorkSpace. Please try again."

This error often occurs when the WorkSpace can't load the Windows desktop using PCoIP. Check the following:

  • Interactive logon banner group policies currently aren't supported on Amazon WorkSpaces. Try moving the WorkSpace to an organizational unit (OU) where the Interactive logon: Message text for users attempting to log on group policy isn’t applied.
  • If the PCoIP agent is uninstalled, reboot the WorkSpace through the Amazon WorkSpaces console to reinstall it automatically.
  • This message also appears if the PCoIP Standard Agent for Windows service isn't running. Follow these steps to verify that the service is running, set to start automatically, and can communicate over the management interface (eth0):

1.    Connect using RDP.

2.    Open Windows PowerShell and run the following command:

netstat -ano | findstr "8200"

This should return the following: 

TCP Management_IP_Address_Of_WorkSpace:8200 0.0.0.0:0

If the command doesn't return the above entry, verify that SkyLightWorkSpacesConfigService is running. If it is stopped, start it. Within a minute, the service begins listening on TCP port 8200 for your WorkSpace's private IP address.

3.    Run the following command: 

netstat -ano | findstr "4172"

This should return the following: 

TCP 0.0.0.0:4172 0.0.0.0:0 LISTENING

If the command doesn't return the above entry, verify that PCoIPArbiterService and PCoIP Standard Agent for Windows are running.

You can also run the following command to see if all dependencies are running: 

tasklist | findstr "pcoip"

Expected output: 

pcoip_agent.exe
pcoip_arbiter_win32.exe

You might also receive this error on the Amazon WorkSpaces client after a long delay if the WorkSpaces security group is modified to restrict outbound traffic. An outbound traffic restriction prevents Windows from communicating with your directory controllers for login. Verify that your security groups allow your WorkSpaces to communicate with your directory controllers on all required ports over its primary network interface.

"This device is not authorized to access the WorkSpace. Please contact your administrator for assistance."

This error indicates that IP access control groups are configured on the WorkSpace's directory, but the client IP address isn't whitelisted.

Check the settings on your directory. Confirm that the public IP address the user is connecting from allows access to the WorkSpace. 


Did this article help you?

Anything we could improve?


Need more help?