Azure / RDS-Templates

ARM Templates for Remote Desktop Services deployments
MIT License
482 stars 610 forks source link

Cannot select a Tenant Group #407

Open jasonfare opened 4 years ago

jasonfare commented 4 years ago

I had a pre deployed instance and when I try to do the drop down on the initial screen I'm unable to select Default Tenant Group. I cannot type it in either. I tried with an account that has Global Admin and with an account that is just a user of WVD.

jasonfare commented 4 years ago

I was also never prompted to authenticate so not sure if that makes a difference.

stevenzelenko commented 4 years ago

@jasonfare we have this same issue when we are on our network or accessing the UI from an Azure VM. If you are using chrome, select F12 and then look for "PostLogin". Select Network in there and check if there are $null values for your user.

image

jasonfare commented 4 years ago

I am connecting from my PC over the internet and seeing that username and stuff is also null same StatusCode… Also, from a Fresh chrome browser, it never prompted me to authenticate. I do have the redirect URI configured on the app registration. It actually doesn't prompt me through Chrome, Firefox, or Edge.

stevenzelenko commented 4 years ago

@jasonfare I'm wondering if the app needs to be set to use Azure AD auth? Adding in @ChristianMontoya

jasonfare commented 4 years ago

@stevenzelenko For reference, I followed the directions found here to deploy it: https://docs.microsoft.com/en-us/azure/virtual-desktop/manage-resources-using-ui-powershell

stevenzelenko commented 4 years ago

@jasonfare I used the templates here on GitHub. I don't have an app registration. Like I said, this thing works off of our network so curious if it's an SSO issue.

dieOnleister commented 4 years ago

I could contribute the following to the problem:

I had the same behavior as in the first post after we set trusted IPs for our office in the MFA settings of Azure AD. And I only had the problem with current Firefox and Chrome. In Edge it worked anyway.

Now I have removed the trusted IP again and the WVD Management UI will show up in Firefox and Chrome as usual.

Best Regards Sebastian

stevenzelenko commented 4 years ago

@dieOnleister Yes, we require MFA off of our trusted network ranges. I may try to MFA this web app even on our network. Like I mentioned, this works off of our trusted networks with MFA.

stevenzelenko commented 4 years ago

@dieOnleister @jasonfare - I added the IP of our app to our trusted IP and now it works fine.

jasonfare commented 4 years ago

@stevenzelenko @dieOnleister I added to my trusted IP and it still doesn't authenticate. I think there's something wrong with the configuration of the app on my site in that it never refers to Azure AD to authenticate.

jasonfare commented 4 years ago

@stevenzelenko @dieOnleister Does your apps show "Anonymous access is enabled on the App Service app. Users will not be prompted for login." when you go to the Authentication / Authorization screen in each app? App Service Authentication is Off on both of mine (API and Non API).

stevenzelenko commented 4 years ago

@jasonfare Yes, it's set to off. There should be an app registration which I believe is where the actual auth happens. I've been working with our in house app guy who does a lot of app services work and he's a bit miffed that we have to add the *.azurewebsites.net IPs listed in properties for the app to our "on-prem" IP allow list. Also, check you app registration (should contain something like WVD or SaaS in it" and check auth there. I'm hoping one of the Microsoft guys can comment on why this happens for the web UI.

jasonfare commented 4 years ago

@stevenzelenko Yeah when I checked the Authentication settings of the app registration, it appears to be configured correctly. I'll wait for someone from the product team or else give up on trying to use this and stick with terraform/powershell for my deployments. Thanks for your help with this so far!

jasonfare commented 4 years ago

I tried re-doing the installation and same thing. I think it might have something to do with the following errors when running the createWvdMgmtUxAppRegistration.ps1 script:

Name Account SubscriptionName Environment TenantId


ACTS-DEV01 (2493b31c-20d9-4161-a48a-7... jfare@actsolutio... ACTS-DEV01 AzureCloud >88889efb-8738-4... Creating a new Application in AAD New-AzADAppCredential : Resource '8442b2a5-25f2-44d8-afb3-44bee9e54ad5' does not exist or >one of its queried reference-property objects are not present. At C:\createWvdMgmtUxAppRegistration.ps1:95 char:2

  • New-AzADAppCredential -ObjectId $azAdApplication.ObjectId -Passwo ...
  • 
    + CategoryInfo          : InvalidArgument: (:) [New-AzADAppCredential], Exception
    + FullyQualifiedErrorId : >Microsoft.Azure.Commands.ActiveDirectory.NewAzureADAppCredentialCommand

Azure AAD Application creation completed successfully with AppName actue2dwvdux1 (Application Id is: 18e6a08b-478c-4952-8a79-cdc391486b42) Creating a new Service Principal New-AzADServicePrincipal : Insufficient privileges to complete the operation. At C:\createWvdMgmtUxAppRegistration.ps1:103 char:22

  • ... icePrincipal = New-AzADServicePrincipal -ApplicationId $applicationId
  • 
    + CategoryInfo          : InvalidOperation: (:) [New-AzADServicePrincipal], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADServicePrincipalCommand

Service Principal creation completed successfully for AppName actue2dwvdux1 (Application Id is: 18e6a08b-478c-4952-8a79-cdc391486b42) Credentials for the service principal are stored in the $servicePrincipalCredentials object`

Not sure if other people get those errors, but I notice that the app registration doesn't have a service principal associated. After creating, I get prompted to authenticate but still get the same blank screen that can't detect a pool. I'm giving up for now...