Why can't I use the WorkSpaces client to authenticate to my WorkSpace?

6 minute read

When I use the Amazon WorkSpaces client to try to log in, I see error messages similar to the following: "Authentication Failed: Please check your username and password to make sure you typed them correctly." "Directory Unavailable: Your directory could not be reached at this time. Please contact your Administrator for more details." I entered the correct password, and the directory is available.


Authentication Failed errors

Configuration issues in AWS Directory Service Simple Active Directory (Simple AD) and AWS Directory Service for Microsoft Active Directory can cause Authentication Failed errors when you use the correct credentials.

To troubleshoot this error, take the following actions.

Confirm that the directory registration code in the WorkSpaces client matches the value that's associated with the WorkSpace

Complete the following steps:

  1. Open the WorkSpaces client.
  2. From the login window, choose Settings, Manage Login Information. Note the registration code.
    Note: If you have multiple registration codes, close the login window, and then choose Change Registration Code.
  3. Confirm that the registration code matches the value that's associated with the WorkSpace in the WorkSpaces console or welcome email.
    Note: To find the registration code from the console, open the WorkSpaces console. Choose the arrow next to the WorkSpace ID to show the WorkSpace details.

Check if the error is because of incorrect credentials or an error in WorkSpaces

Complete the following steps:

  1. Use a Remote Desktop Protocol (RDP) client to connect to the WorkSpace, or use SSH.
  2. Enter your credentials. Check if the Authentication Failed error is caused by one of the following reasons:
    Incorrect credentials.
    An issue with the WorkSpace.
    A broken trust relationship with Active Directory.
    Another issue with an Active Directory user account.

Troubleshoot the issue in the RDP or SSH session of the WorkSpace.

Note: If you can't use RDP or SSH, then log in with your WorkSpace credentials to any domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance.

Verify that the user's Active Directory user account meets the prerequisites

Complete the following steps:

  1. Be sure that Kerberos pre-authentication is turned on.

  2. Clear the User must change password on next logon check box.

  3. Run the following command to confirm that the user's password isn't expired:

    net user username /domai

    Note: Replace username with your value.

  4. If you use Simple AD or AWS Managed Microsoft AD, then choose Forgot Password? from the WorkSpaces client to reset the password.

Confirm that the user account's sAMAccountName attribute wasn't modified

WorkSpaces doesn't support modifications to the username attribute of an Active Directory user. If the username attribute in WorkSpaces and Active Directory don't match, then authentication fails.

If you changed the sAMAccountName, then you must change it back for the WorkSpace to work correctly.

If you must rename a user, then complete the following steps:

Warning: After you delete a WorkSpace, you can't undo the action. The Workplace user's data is no longer available in WorkSpaces.

  1. Back up files from the user volume to an external location, such as Amazon WorkDocs or Amazon FSx.
  2. Delete the WorkSpace.
  3. Modify the username attribute.
  4. Launch a new WorkSpace for the user.

Verify that the username attribute contains only valid characters

To confirm that your username attribute uses only valid characters, see Understand username restrictions for AWS applications.

If your WorkSpaces username attribute contains characters that aren't valid, then complete the following steps:

Warning: After you delete a WorkSpace, you can't undo the action. The Workplace user's data is no longer available in WorkSpaces.

  1. Back up files from the user volume to an external location, such as WorkDocs or Amazon FSx.
  2. Delete the WorkSpace.
  3. Rename the username attribute in your domain with valid characters:
    Use the Active Directory Users and Computers tool to find the user.
    Open the context (right-click) menu for the user, and then choose Properties.
    From the Account tab, rename both User logon name and User logon name (pre-Windows 2000).
  4. Launch a new WorkSpace with the new username attribute.

Verify that there isn't a time difference of more than 5 minutes across resources

Authentication is sensitive to time differences between the resources that you use with WorkSpaces. All domain controllers in the domain, the Remote Authentication Dial-In User Service (RADIUS) servers, the WorkSpace instance, and the service must be in sync.

To make sure that all resources are in sync, take the following actions:

  • If you use multi-factor authentication (MFA), then verify that the clock on all RADIUS servers is synced with a reliable time source. You can use the NTP tool on the NTP Pool Project website.
  • If the directory is customer managed, then verify that every domain controller is synced with a reliable time source, such as AD Connector.
  • If the time on the WorkSpace is inaccurate, then reboot the WorkSpace to resynchronize the WorkSpace with an atomic clock. After a few minutes, the WorkSpace also resynchronizes with a domain controller.
  • Run the following commands to verify the time against a reliable time source:
    ntpdate -q -u pool.ntp.org
    w32tm.exe /stripchart /computer:pool.ntp.org

Directory Unavailable errors

MFA configuration issues can cause Directory Unavailable errors when the directory is available.

To troubleshoot this error, confirm that your RADIUS server is running. Also, review the logs to confirm that authentication traffic is being sent to its destination.

A Directory Unavailable error can occur when your configured RADIUS server isn't running. This error can also occur when network modifications don't allow the RADIUS server to communicate with your domain controllers that use WorkSpaces.

If you use an AD Connector, then your AD Connector's networking configuration must allow outbound access to your domain controllers and your RADIUS server. Use Amazon Virtual Private Cloud (Amazon VPC) Flow Logs to confirm that all necessary traffic is sent to its destination.

To confirm that you can log in without MFA turned on, temporarily turn off MFA on the registered directory. If you can log in after you turn off MFA, then the issue is related to the RADIUS server configuration.

Related information

Administer WorkSpace users

AWS OFFICIALUpdated 20 days ago
  1. Go to your directory
  2. Select the Other platforms section
  3. and select all option.

that should work.

replied 6 months ago

For me it worked after I corrected my directory ID in Federated IAM SAML provider's policy.

profile picture
replied 6 months ago