Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
Why can't I use the WorkSpaces Personal client to authenticate to my WorkSpace?
I want to troubleshoot why I receive an error when I use the Amazon WorkSpaces Personal client to log in to my WorkSpace.
Short description
If you can't authenticate into a WorkSpace, then you might receive the following error: "Authentication Failed: Please check your username and password to make sure you typed them correctly"
This error might occur for the following reasons:
- A user attribute change in AWS Directory Service for Microsoft Active Directory.
- A user attribute change in Simple AD or self-managed AD.
- A misconfiguration in multi-factor authentication (MFA).
Resolution
Verify your credentials
For Windows WorkSpaces, use Remote Desktop Protocol (RDP) to connect to your WorkSpace. If you receive a Network Level Authentication (NLA) error, then see Why do I get an NLA error when I use RDP to connect to WorkSpaces?
For Linux WorkSpaces, use SSH to connect to your WorkSpace. Enter your credentials, and then check the error details. If you receive the "Make sure you're entering the correct username and password" or "Ensure the account isn't locked out" errors, then the credentials are incorrect. Reset the password, or unlock the account in your Microsoft Active Directory. For more information, see Unlock-ADAccount on the Microsoft website.
If you receive a "The trust relationship between this workstation and the primary domain failed" error, then troubleshoot domain join issues. If the trust with the Active Directory is broken, then you must restore and then rebuild the WorkSpace.
Confirm that the directory is in an active state
If you use AD Connector for WorkSpaces and it's in an inoperable state, then see Troubleshooting AD Connector.
If you use AWS Managed Microsoft AD, then see Understanding your AWS Managed Microsoft AD directory status.
Confirm that the directory registration code in the WorkSpaces Personal client matches the value that's associated with the WorkSpace
Complete the following steps:
- Open the WorkSpaces client.
- Choose Settings, and then choose Manage Login Information.
- Note the registration code.
Note: If you have multiple registration codes, then choose Change Registration Code to find the last registration code that you used. - Open the WorkSpaces console.
- Select your WorkSpace, and then choose View Details.
- Under Summary, verify that the value for Registration Code matches the code that you noted.
Check your Active Directory user account configuration
Complete the following steps:
- Check that Kerberos pre-authentication is turned on.
- Confirm that the User must change password on next logon check box is unchecked under user properties in Active Directory Users and Computers.
- Confirm that your password isn't expired. Use a domain-joined machine to run the following command:
Note: Replace username with your username.net user username /domain - To reset the password, open the WorkSpaces client and then choose Forgot Password?.
Note: For more options to reset the user password, see How do I reset a WorkSpaces password?
Verify that the sAMAccountName attribute in the user account didn't change
If you change the username of an Active Directory user, then the usernames in WorkSpaces and Active Directory don't match and authentication fails. If you changed the sAMAccountName value, then return it to the original username.
If you deleted the Active Directory user and created a new user with the same sAMAccountName, then create a new WorkSpace for that user.
Verify that the username contains only valid characters
If the WorkSpaces username contains characters that aren't valid or you must rename a user, then complete the following steps:
- Back up files from the user volume to an external location, such as Amazon FSx.
- Delete the WorkSpace.
Important: You can't roll back WorkSpace deletion. When you delete a WorkSpace, the user's data is no longer available. - Use the Active Directory Users and Computers tool to find the user.
- Open the context menu, and then choose Properties.
- From the Account tab, rename both User logon name and User logon name (pre-Windows 2000).
- Create a new WorkSpace with the new username.
Verify that the password contains only valid characters
Passwords are case-sensitive and must be between 8 and 64 characters in length. Passwords must contain at least one character from each of the following categories:
- Lowercase characters
- Uppercase characters
- Numbers
- Non-alphanumeric characters
Note: Don't include nonprintable unicode characters, such as white spaces, carriage return tabs, line breaks, and null characters.
Check the multi-factor authentication (MFA) configuration
Complete the following steps:
- Make sure that you have the shared secret code to re-enter.
- Check whether the authentication issue affects all WorkSpaces users on the AD Connector or individual users.
Note: If there's a replication issue between domain controllers on your self-managed AD, then authentication issues might affect a subset of users. For more information, see Troubleshooting Active Directory replication problems on the Microsoft website. - Open the WorkSpaces console.
- In the navigation pane, choose Directories, and then select your directory.
- Uncheck the check box for Enable Multi-factor authentication.
If users authenticate after you turn off MFA, then there might be a communication issue between the AD Connector and RADIUS servers. Or, RADIUS servers might not respond to requests.
For more information, see Why is MFA failing on my AWS Managed Microsoft AD directory or my AD Connector?
Verify that there isn't a time difference of more than 5 minutes across resources
Authentication is sensitive to time differences between the resources that you use with WorkSpaces. The domain controllers on your self-managed AD, RADIUS servers, WorkSpace instance, and the service must be in sync. Make sure there's no time skew among domain controllers on your self-managed AD. For more information, see Recommendation - Configure the root PDC with an authoritative time source and avoid a widespread time skew on the Microsoft website.
Related information
Troubleshoot issues for WorkSpaces Personal
Best practices for deploying Amazon WorkSpaces
How do I resolve the "Directory Unavailable" error in WorkSpaces?
How do I troubleshoot SAML 2.0 authentication issues in WorkSpaces?
Why can't I connect to my WorkSpace after I activated certificate-based authentication?
- Go to your directory
- Select the Other platforms section
- and select all option.
that should work.
For me it worked after I corrected my directory ID in Federated IAM SAML provider's policy.
