Why am I unable to authenticate to my WorkSpace using the WorkSpaces client?
Last updated: 2019-11-20
When I try to log in using the Amazon WorkSpaces client, I see an error message similar to the following:
"Authentication Failed: Please check your username and password to make sure you typed them correctly."
I've confirmed that the password is entered correctly. Why am I still getting this error message?
"Authentication Failed" errors that occur when the correct credentials are used are typically related to a configuration issue in Active Directory.
To troubleshoot this error, try the following:
Confirm that the directory registration code in the client matches the value associated with the WorkSpace.
- Open the Amazon WorkSpaces client. From the login window, choose Settings, Manage Registrations.
- Confirm that the registration code matches the value associated with the WorkSpace in the Amazon WorkSpaces console or welcome email.
Verify that the user's Active Directory user object meets the prerequisites.
- You must enable Kerberos preauthentication.
- Clear User must change password on next logon, and then confirm that the user’s password isn’t expired.
Note: If you are using Simple AD or AWS Directory Service for Microsoft Active Directory, then choose Forgot Password? from the Amazon WorkSpaces client to reset the password.
Confirm that the user object's sAMAccountName attribute wasn't modified.
Amazon WorkSpaces doesn’t support modifications to the username attribute of an Active Directory user. Authentication fails if the username attributes in Amazon WorkSpaces and Active Directory don’t match.
If you must rename a user, follow these steps:
- Back up files from the user volume to an external location such as Amazon WorkDocs or Amazon FSx.
- Remove the user’s WorkSpace.
- Modify the attribute.
- Create a new WorkSpace for the user.
If you've enabled multi-factor authentication (MFA), check the logs on your RADIUS server to confirm that authentication traffic is received and approved.
- This error can occur if network modifications prevent the RADIUS solution from communicating with the WorkSpace’s subnets or domain controllers.
- If you're using an AD Connector, your connector endpoints must have outbound access to both your domain controllers and your RADIUS servers. You can use VPC Flow Logs to confirm that all necessary traffic is sent to its destination.