Recently, while implementing single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID authentication, our team encountered an unexpected hurdle: an authentication loop. In this post, I’ll share our experience and the solution we found.
Problem: Authentication loop
Upon configuring single sign-on for Azure Virtual Desktop according to Microsoft’s documentation (https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on), some users encountered an authentication loop when attempting to connect to an Azure Virtual Desktop session host. This loop prevented them from accessing the resources they needed. Upon investigating, we found the following events logged in the event log:
Logbook: Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational Source: Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV EventID: 226 Description: RDP_SEC_RDSAADAUTH_SERVER: An error was encountered when transitioning from Processing Authentication Request in response to Failed to authenticate user (error code 0xD000006D). Logbook: Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational Source: Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV EventID: 226 Description: RDP_SEC: An error was encountered when transitioning from FStateInRdsAadHandshake in response to FEventRdsAaadHandshakeFailed (error code 0x8007052E).
Root cause: Membership in protected Active Directory Groups
Further investigation revealed that the issue stemmed from Active Directory user accounts being direct or indirect members of certain protected Active Directory groups.
These groups include:
- Account Operators
- Administrator
- Administrators
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Krbtgt
- Print Operators
- Read-only Domain Controllers
- Replicator
- Schema Admins
- Server Operators
These groups are protected for security reasons, and membership in them can interfere with certain authentication processes, leading to issues like the authentication loop we encountered.
More information about protected Active Directory groups: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c–protected-accounts-and-groups-in-active-directory
The Fix: Removing Membership from Protected Groups
To resolve the authentication loop issue, the solution is to remove the affected user accounts’ direct or indirect membership from the protected Active Directory groups listed above.
With the following PowerShell script, you can list all protected accounts in your Active Directory. These users will experience the SSO loop:
Import-Module ActiveDirectory Get-ADUser -LDAPFilter "(admincount=1)" | Select Name,UserPrincipalName,SamAccountName,DistinguishedName | Export-CSV "C:\Users\vandenborn\Desktop\Output.csv" -NoTypeInformation -Encoding UTF8
