Why am I unable to authenticate to my WorkSpace using the WorkSpaces client?

Last updated: 2022-09-20

When I try to log in using the Amazon WorkSpaces client, I see error messages similar to the following:

"Authentication Failed: Please check your username and password to make sure you typed them correctly."

"Directory Unavailable: Your directory could not be reached at this time. Please contact your Administrator for more details."

I've confirmed that the password is entered correctly and the directory is available. Why am I still getting these error messages?

Resolution

Authentication Failed errors

Authentication Failed errors that occur when the correct credentials are used are typically related to a configuration issue in Active Directory.

To troubleshoot this error, follow these steps:

Confirm that the directory registration code in the WorkSpaces client matches the value associated with the WorkSpace

1.    Open the WorkSpaces client. From the log-in window, choose Settings, Manage Login Information. Note the registration code.

Note: If you have multiple registration codes, close the pop-up window, and then choose Change Registration Code.

2.    Confirm that the registration code matches the value associated with the WorkSpace in the WorkSpaces console or welcome email.

Note: To find the registration code from the console, open the WorkSpaces console to see a list of WorkSpaces in the selected AWS Region. Choose the arrow next to the WorkSpace ID to show the WorkSpace details, and then note the Registration Code.

Check if the error is due to incorrect credentials or due to an error in WorkSpaces

1.    Connect to the WorkSpace using a Remote Desktop Protocol (RDP) client or connect to the WorkSpace using SSH.

2.    Enter your credentials. When you receive an Authentication Failed error, you can see whether the error is caused by:

  • Incorrect credentials.
  • An issue with the WorkSpace.
  • A broken trust relationship with Active Directory.
  • Another issue with an Active Directory user account.

Proceed to troubleshoot the observed error in the RDP/SSH session of the WorkSpace according to the error that you received.

Note: If you can't use RDP/SSH in WorkSpaces due to security or compliance reasons, then try to log in to any domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance using your WorkSpace user credentials for validation.

Verify that the user's Active Directory user object meets the prerequisites

1.    Make sure that Kerberos pre-authentication is turned on.

2.    Clear the User must change password on next logon check box.

3.    Run the following command to confirm that the user’s password isn’t expired, replacing username with your value:

net user username /domain

4.    If you use Simple AD or AWS Directory Service for Microsoft Active Directory, then choose Forgot Password? from the WorkSpaces client to reset the password.

Confirm that the user object's sAMAccountName attribute wasn't modified

WorkSpaces doesn’t support modifications to the username attribute of an Active Directory user. Authentication fails if the username attribute in WorkSpaces and Active Directory don’t match.

If you changed the sAMAccountName, you can change it back. The WorkSpace resumes working correctly.

If you must rename a user, follow these steps:

Warning: Deleting a WorkSpace is a permanent action. The WorkSpace user's data doesn't persist and is destroyed.

1.    Back up files from the user volume to an external location, such as Amazon WorkDocs or Amazon FSx.

2.    Delete the WorkSpace.

3.    Modify the username attribute.

4.    Launch a new WorkSpace for the user.

Verify that the username attribute doesn't contain characters that aren't valid

Username attribute character restrictions exist for Amazon Web Services (AWS) applications, including WorkSpaces. See Understand username restrictions for AWS applications to confirm that your username attribute uses only valid characters.

If your WorkSpaces username attribute contains characters that aren't valid, follow these steps:

Warning: Deleting a WorkSpace is a permanent action. The WorkSpace user's data doesn't persist and is destroyed.

1.    Back up files from the user volume to an external location, such as WorkDocs or Amazon FSx.

2.    Delete the WorkSpace.

3.    Rename the username attribute in your domain using valid characters.
Use the Active Directory Users and Computers tool to find the user.
Open the context (right-click) menu for the user, and choose Properties.
From the Account tab, rename both User logon name and User logon name (pre-Windows 2000).

4.    Launch a new WorkSpace with the new username attribute.

Verify that there isn't a time difference of more than 5 minutes across involved parties

Authentication is sensitive to time differences with all involved parties. All domain controllers in the domain, the Remote Authentication Dial-In User Service (RADIUS) servers (if used), the WorkSpace instance, and the service itself must be in sync with each other.

1.    If you're using multi-factor authentication (MFA), verify that the clock on all RADIUS servers is in sync with a reliable time source. (For example, pool.ntp.org.)

2.    If the directory is customer managed (such as AD Connector), then verify that every domain controller is in sync with a reliable time source.

3.    If you suspect that the time on the WorkSpace is inaccurate, reboot the WorkSpace. A reboot resynchronizes the WorkSpace with an atomic clock. After a few minutes, the WorkSpace also resynchronizes with a domain controller.

4.    Run the following commands to verify the time against a reliable time source:

Linux:

ntpdate -q -u pool.ntp.org

Windows:

w32tm.exe /stripchart /computer:pool.ntp.org

Directory Unavailable errors

Directory Unavailable errors that occur when the directory is available are typically related to an MFA configuration issue.

To troubleshoot this error, follow these steps:

Confirm that your RADIUS server is running and review the logs to confirm that authentication traffic is being approved

A Directory Unavailable error can occur if your configured RADIUS server isn't running or if network modifications prevent the RADIUS server from communicating with your domain controllers used by WorkSpaces.

If you're using an AD Connector, your AD Connector's networking configuration must allow outbound access to your domain controllers and your RADIUS server. You can use VPC Flow Logs to confirm that all necessary traffic is sent to its destination.

You can temporarily turn off MFA on the registered directory and confirm if you're able to log in without MFA turned on. If you're able to log in after turning off MFA, this confirms a configuration issue related to the RADIUS server.


Did this article help?


Do you need billing or technical support?