Remote Desktop client something went wrong we couldn t authenticate you
Troubleshoot WorkSpaces issuesThe following information can help you troubleshoot issues with your WorkSpaces. Show
Enabling advanced loggingTo help troubleshoot issues that your users might experience, you can enable advanced logging on any Amazon WorkSpaces client. Advanced logging generates log files that contain diagnostic information and debugging-level details, including verbose performance data. For the 1.0+ and 2.0+ clients, these advanced logging files are automatically uploaded to a database in AWS. Note To have AWS review the log files that are generated by advanced logging and to receive technical support for issues with your WorkSpaces clients, contact AWS Support. For more information, see AWS Support Center. Windows clients The Windows client logs are stored in the following location: %LOCALAPPDATA%\Amazon Web Services\Amazon WorkSpaces\logs To enable advanced logging for Windows clients
macOS clients The macOS client logs are stored in the following location: ~/Library/"Application Support"/"Amazon Web Services"/"Amazon WorkSpaces"/logs To enable advanced logging for macOS clients
Android clients To enable advanced logging for Android clients
To retrieve logs for Android clients after enabling advanced logging:
Linux clients The Linux client logs are stored in the following location: ~/.local/share/Amazon Web Services/Amazon WorkSpaces/logs To enable advanced logging for Linux clients
The Windows client logs are stored in the following location: %LOCALAPPDATA%\Amazon Web Services\Amazon WorkSpaces\1.0\Logs The macOS client logs are stored in the following location: ~/Library/Logs/Amazon Web Services/Amazon WorkSpaces/1.0 Troubleshoot specific issuesThe following information can help you troubleshoot specific issues with your WorkSpaces. Issues
I can't create an Amazon Linux WorkSpace because there are non-valid characters in the user nameFor Amazon Linux WorkSpaces, user names:
Note These limitations do not apply to Windows WorkSpaces. Windows WorkSpaces support the @ and - symbols for all characters in the user name. I changed the shell for my Amazon Linux WorkSpace and now I can't provision a PCoIP sessionTo override the default shell for Linux WorkSpaces, see Override the default shell for Amazon Linux WorkSpaces. My Amazon Linux WorkSpaces won't startStarting July 20, 2020, Amazon Linux WorkSpaces will be using new license certificates. These new certificates are compatible only with versions 2.14.1.1, 2.14.7, 2.14.9, and 20.10.6 or later of the PCoIP agent. If you're using an unsupported version of the PCoIP agent, you must upgrade it to the latest version (20.10.6), which has the latest fixes and performance improvements that are compatible with the new certificates. If you don't make these upgrades by July 20, session provisioning for your Linux WorkSpaces will fail and your end users won't be able to connect to their WorkSpaces. To upgrade your PCoIP agent to the latest version
If your Linux WorkSpace still fails to start after you upgrade the PCoIP agent, contact AWS Support. Launching WorkSpaces in my connected directory often failsVerify that the two DNS servers or domain controllers in your on-premises directory are accessible from each of the subnets that you specified when you connected to your directory. You can verify this connectivity by launching an Amazon EC2 instance in each subnet and joining the instance to your directory using the IP addresses of the two DNS servers. Launching WorkSpaces fails with an internal errorCheck whether your subnets are configured to automatically assign IPv6 addresses to instances launched in the subnet. To check this setting, open the Amazon VPC console, select your subnet, and choose Subnet Actions, Modify auto-assign IP settings. If this setting is enabled, you cannot launch WorkSpaces using the Performance or Graphics bundles. Instead, disable this setting and specify IPv6 addresses manually when you launch your instances. When I try to register a directory, the registration fails and leaves the directory in an ERROR stateThis problem can occur if you're trying to register an AWS Managed Microsoft AD directory that has been configured for multi-Region replication. Although the directory in the primary Region can be successfully registered for use with Amazon WorkSpaces, attempting to register the directory in a replicated Region fails. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions. My users can't connect to a Windows WorkSpace with an interactive logon bannerIf an interactive logon message has been implemented to display a logon banner, this prevents users from being able to access their Windows WorkSpaces. The interactive logon message Group Policy setting is not currently supported by WorkSpaces. Move the WorkSpaces to an organizational unit (OU) where the Interactive logon: Message text for users attempting to log on Group Policy isnt applied. My users can't connect to a Windows WorkSpaceMy users receive the following error when they try to connect to their Windows WorkSpaces: "An error occurred while launching your WorkSpace. Please try again."This error often occurs when the WorkSpace can't load the Windows desktop using PCoIP. Check the following:
Another cause of this error is related to the User Rights Assignment Group Policy. If the following group policy is incorrectly configured, it prevents users from being able to access their Windows WorkSpaces: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Note This policy setting should be applied to Domain Users instead of Domain Computers. For more information, see Access this computer from the network - security policy settingand Configure security policy settingsin the Microsoft Windows documentation. My users are having issues when they try to log on to WorkSpaces from WorkSpaces Web AccessAmazon WorkSpaces relies on a specific logon screen configuration to enable users to successfully log on from their Web Access client. To enable Web Access users to log on to their WorkSpaces, you must configure a Group Policy setting and three Security Policy settings. If these settings are not correctly configured, users might experience long logon times or black screens when they try to log on to their WorkSpaces. To configure these settings, see Enable and configure Amazon WorkSpaces Web Access. Important Beginning October 1, 2020, customers will no longer be able to use the Amazon WorkSpaces Web Access client to connect to Windows 7 custom WorkSpaces or to Windows 7 Bring Your Own License (BYOL) WorkSpaces. The Amazon WorkSpaces client displays a gray "Loading..." screen for a while before returning to the login screen. No other error message appears.This behavior usually indicates that the WorkSpaces client can authenticate over port 443, but can't establish a streaming connection over port 4172 (PCoIP) or port 4195 (WSP). This situation can occur when network prerequisites aren't met. Issues on the client side often cause the network check in the client to fail. To see which health checks are failing, choose the network check icon (typically a red triangle with an exclamation point in the bottom-right corner of the login screen for 2.0+ clients or the network icon in the upper-right corner of the 3.0+ clients). Note The most common cause of this problem is a client-side firewall or proxy preventing access over port 4172 or 4195 (TCP and UDP). If this health check fails, check your local firewall settings. If the network check passes, there might be a problem with the network configuration of the WorkSpace. For example, a Windows Firewall rule might block port UDP 4172 or 4195 on the management interface. Connect to the WorkSpace using a Remote Desktop Protocol (RDP) clientto verify that the WorkSpace meets the necessary port requirements. My users receive the message "WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes."This error usually indicates the SkyLightWorkSpacesConfigService service isn't responding to health checks. If you just rebooted or started your WorkSpace, wait a few minutes, and then try again. If the WorkSpace has been running for some time and you still see this error, connect using RDPto verify that the SkyLightWorkSpacesConfigService service:
My users receive the message "This device is not authorized to access the WorkSpace. Please contact your administrator for assistance."This error indicates that IP access control groups are configured on the WorkSpace directory, but the client IP address isn't whitelisted. Check the settings on your directory. Confirm that the public IP address the user is connecting from allows access to the WorkSpace. My users receive the message "No network. Network connection lost. Check your network connection or contact your administrator for help." when trying to connect to a WSP WorkSpaceIf this error occurs and your users don't have connectivity issues, make sure that port 4195 is open on your network's firewalls. For WorkSpaces using the WorkSpaces Streaming Protocol (WSP), the port used to stream the client session was changed from 4172 to 4195. The WorkSpaces client gives my users a network error, but they are able to use other network-enabled apps on their devicesThe WorkSpaces client applications rely on access to resources in the AWSCloud, and require a connection that provides at least 1 Mbpsdownload bandwidth. If a device has an intermittent connection to the network, the WorkSpaces client application might report an issue with the network. WorkSpaces enforces the use of digital certificates issued by Amazon Trust Services, as of May 2018. Amazon Trust Services is already a trusted Root CA on the operating systems that are supported by WorkSpaces. If the Root CA list for the operating system is not up to date, the device cannot connect to WorkSpaces and the client gives a network error. To recognize connection issues due to certificate failures
To resolve certificate failures
Windows client applicationUse one of the following solutions for certificate failures. Solution 1: Update the client application Download and install the latest Windows client application from Amazon WorkSpaces Client Downloads. During installation, the client application ensures that your operating system trusts certificates issued by Amazon Trust Services. Solution 2: Add Amazon Trust Services to the local Root CA list
Solution 3: Deploy Amazon Trust Services as a trusted CA using Group Policy Add the Starfield certificate to the trusted Root CAs for the domain using Group Policy. For more information, see Use Policy to Distribute Certificates. PCoIP zero clientsTo connect directly to a WorkSpace using firmware version 6.0 or later, download and install the certificate issued by Amazon Trust Services. To add Amazon Trust Services as a trusted Root CA
Other client applicationsAdd the Starfield certificate (2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92) from Amazon Trust Services. For more information about how to add a Root CA, see the following documentation:
My WorkSpace users see the following error message: "Device can't connect to the registration service. Check your network settings."When a registration service failure occurs, your WorkSpace users might see the following error message on the Connection Health Check page: "Your device is not able to connect to the WorkSpaces Registration service. You will not be able to register your device with WorkSpaces. Please check your network settings." This error occurs when the WorkSpaces client application can't reach the registration service. Typically, this happens when the WorkSpaces directory has been deleted. To resolve this error, make sure that the registration code is valid and corresponds to a running directory in the AWS Cloud. My PCoIP zero client users are receiving the error "The supplied certificate is invalid due to timestamp"If Network Time Protocol (NTP) isn't enabled in Teradici, your PCoIP zero client users might receive certificate failure errors. To set up NTP, see Set up PCoIP zero clients for WorkSpaces. USB printers and other USB peripherals aren't working for PCoIP zero clientsStarting with version 20.10.4 of the PCoIP agent, Amazon WorkSpaces disables USB redirection by default through the Windows registry. This registry setting affects the behavior of USB peripherals when your users are using PCoIP zero client devices to connect to their WorkSpaces. If your WorkSpaces are using version 20.10.4 or later of the PCoIP agent, USB peripheral devices won't work with PCoIP zero client devices until you've enabled USB redirection. Note If you're using 32-bit virtual printer drivers, you must also update those drivers to their 64-bit versions. To enable USB redirection for PCoIP zero client devices We recommend that you push out these registry changes to your WorkSpaces through Group Policy. For more information, see Configuring the agentand Configurable settingsin the Teradici documentation.
My users skipped updating their Windows or macOS client applications and aren't getting prompted to install the latest versionWhen users skip updates to the Amazon WorkSpaces Windows client application, the SkipThisVersion registry key gets set, and they are no longer prompted to update their clients when a new version of the client is released. To update to the latest version, you can edit the registry as described in Update the WorkSpaces Windows Client Application to a Newer Version in the Amazon WorkSpaces User Guide. You can also run the following PowerShell command: Remove-ItemProperty -Path "HKCU:\Software\Amazon Web Services. LLC\Amazon WorkSpaces\WinSparkle" -Name "SkipThisVersion" When users skip updates to the Amazon WorkSpaces macOS client application, the SUSkippedVersion preference gets set, and they are no longer prompted to update their clients when a new version of the client is released. To update to the latest version, you can reset this preference as described in Update the WorkSpaces macOS Client Application to a Newer Version in the Amazon WorkSpaces User Guide. My users are unable to install the Android client application on their ChromebooksVersion 2.4.13 is the final release of the Amazon WorkSpaces Chromebook client application. Because Google is phasing out support for Chrome Apps, there will be no further updates to the WorkSpaces Chromebook client application, and its use is unsupported. For Chromebooks that support installing Android applications, we recommend using the WorkSpaces Android client application instead. In some cases, you might need to enable your users' Chromebooks to install Android applications. For more information, see Set up Android for Chromebooks. My users aren't receiving invitation emails or password reset emailsUsers do not automatically receive welcome or password reset emails for WorkSpaces that were created using AD Connector or a trusted domain. Invitation emails also aren't sent automatically if the user already exists in Active Directory. To manually send welcome emails to these users, see Send an invitation email. To reset user passwords, see Set up Active Directory Administration Tools for WorkSpaces. My users don't see the Forgot password? option on the client login screenIf you're using AD Connector or a trusted domain, your users won't be able to reset their own passwords. (The Forgot password? option on the WorkSpaces client application login screen won't be available.) For information about how to reset user passwords, see Set up Active Directory Administration Tools for WorkSpaces. I receive the message "The system administrator has set policies to prevent this installation" when I try to install applications on a Windows WorkSpaceYou can address this issue by modifying the Windows Installer Group Policy setting. To deploy this policy to multiple WorkSpaces in your directory, apply this setting to a Group Policy object that is linked to the WorkSpaces organizational unit (OU) from a domain-joined EC2 instance. If you are using AD Connector, you can make these changes from a domain controller. For more information about using the Active Directory administration tools to work with Group Policy objects, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide. The following procedure shows how to configure the Windows Installer setting for the WorkSpaces Group Policy object.
No WorkSpaces in my directory can connect to the internetWorkSpaces cannot communicate with the internet by default. You must explicitly provide internet access. For more information, see Provide internet access from your WorkSpace. My WorkSpace has lost its internet accessIf your WorkSpace has lost access to the internet and you can't connect to the WorkSpace by using RDP, this issue is probably caused by the loss of the public IP address for the WorkSpace. If you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool. To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace. We recommend that you not modify the elastic network interface of a WorkSpace after the WorkSpace is launched. After an Elastic IP address has been assigned to a WorkSpace, the WorkSpace retains the same public IP address (unless the WorkSpace is rebuilt, in which case it gets a new public IP address). I receive a "DNS unavailable" error when I try to connect to my on-premises directoryYou receive an error message similar to the following when connecting to your on-premises directory. DNS unavailable (TCP port 53) for IP: dns-ip-addressAD Connector must be able to communicate with your on-premises DNS servers via TCP and UDP over port 53. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over this port. I receive a "Connectivity issues detected" error when I try to connect to my on-premises directoryYou receive an error message similar to the following when connecting to your on-premises directory. Connectivity issues detected: LDAP unavailable (TCP port 389) for IP: ip-address Kerberos/authentication unavailable (TCP port 88) for IP: ip-address Please ensure that the listed ports are available and retry the operation.AD Connector must be able to communicate with your on-premises domain controllers via TCP and UDP over the following ports. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over these ports:
I receive an "SRV record" error when I try to connect to my on-premises directoryYou receive an error message similar to one or more of the following when connecting to your on-premises directory. SRV record for LDAP does not exist for IP: dns-ip-address SRV record for Kerberos does not exist for IP: dns-ip-addressAD Connector needs to obtain the _ldap._tcp.dns-domain-name and _kerberos._tcp.dns-domain-name SRV records when connecting to your directory. You get this error if the service cannot obtain these records from the DNS servers that you specified when connecting to your directory. Make sure that your DNS servers contain these SRV records. For more information, see SRV Resource Recordson Microsoft TechNet. My Windows WorkSpace goes to sleep when it's left idleTo resolve this issue, connect to the WorkSpace and change the power plan to High performance by using the following procedure:
If the preceding steps do not solve the issue, do the following:
One of my WorkSpaces has a state of UNHEALTHYThe WorkSpaces service periodically sends status requests to a WorkSpace. A WorkSpace is marked UNHEALTHY when it fails to respond to these requests. Common causes for this problem are:
You can attempt to correct the situation using the following methods:
My WorkSpace is unexpectedly crashing or rebootingIf your WorkSpace configured for PCoIP is repeatedly crashing or rebooting and your error logs or crash dumps are pointing to problems with spacedeskHookKmode.sys or spacedeskHookUmode.dll, or if you're receiving the following error messages, you might need to disable Web Access to the WorkSpace: The kernel power manager has initiated a shutdown transition. Shutdown reason: Kernel APIThe computer has rebooted from a bugcheck.Note
To disable Web Access to the WorkSpace, you must set a group policy and modify two registry settings. For information about using the Active Directory administration tools to work with Group Policy Objects, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide. Step 1: Set a Group Policy to disable Web Access at the directory level You must make these changes from a PCoIP WorkSpace instead of a domain controller because the STXHD Hosted Application Service must be present.
Step 2: Edit the Registry to disable Web Access We recommend that you push out these registry changes through GPO.
The same username has more than one WorkSpace, but the user can log in to only one of the WorkSpacesIf you delete a user in Active Directory (AD) without first deleting their WorkSpace and then you add the user back to Active Directory and create a new WorkSpace for that user, the same username will now have two WorkSpaces in the same directory. However, if the user tries to connect to their original WorkSpace, they will receive the following error: "Unrecognized user. No WorkSpace found under your username. Contact your administrator to request one."Additionally, searches for the username in the Amazon WorkSpaces console return only the new WorkSpace, even though both WorkSpaces still exist. (You can find the original WorkSpace by searching for the WorkSpace ID instead of the username.) This behavior can also occur if you rename a user in Active Directory without first deleting their WorkSpace. If you then change their username back to the original username and create a new WorkSpace for the user, the same username will have two WorkSpaces in the directory. This problem occurs because Active Directory uses the user's security identifier (SID), rather than the username, to uniquely identify the user. When a user is deleted and recreated in Active Directory, the user is assigned a new SID, even if their username remains the same. During searches for a username, the Amazon WorkSpaces console uses the SID to search Active Directory for matches. The Amazon WorkSpaces clients also use the SID to identify users when they are connecting to WorkSpaces. To resolve this problem, do one of the following:
I'm having trouble using Docker with Amazon WorkSpacesWindows WorkSpaces Nested virtualization (including the use of Docker) is not supported on Windows WorkSpaces. For more information, see the Docker documentation. Linux WorkSpaces To use Docker on Linux WorkSpaces, make sure that the CIDR blocks used by Docker don't overlap with the CIDR blocks used in the two elastic network interfaces (ENIs) associated with the WorkSpace. If you encounter problems with using Docker on Linux WorkSpaces, contact Docker for assistance. I receive ThrottlingException errors to some of my API callsThe default allowed rate for WorkSpaces API calls is a constant rate of two API calls per second, with a maximum allowed "burst" rate of five API calls per second. The following table shows how the burst rate limit works for API requests.
My WorkSpace keeps disconnecting when I let it run in the backgroundFor Mac users, check to see if the Power Nap feature is on. If it is on, turn it off. To turn Power Nap off, open your terminal and run the following command: defaults write com.amazon.workspaces NSAppSleepDisabled -bool YES
|