AD Account login for Azure Data Science VM

Nandan Hegde 29,896 Reputation points MVP
2020-12-07T10:12:22.103+00:00

Hello All,
I have created an Azure Data Science windows VM and I am able to login into it via the SQL account that was used to create it.
I need to login into that VM via an Azure AD account which was created and link that VM to the domain.
I tried the below steps:

1) Enabled AAD extension in the VM:
45751-aad.png

2) Added the AD account in the Access control IAM under VM administrator login
45578-role.png

3) Added these 2 properties in the RDP file

 enablecredsspsupport:i:0  
authentication level:i:2

4)via windows setting added the account within the VM :
45744-ws.png

Still I am unable to login to the VM via the AD account (error msg : failed logon) but able to login via the SQL account.

Analysis :

  1. whether AD is linked:
    executed the command in CMD line: dsregcmd /status

The output was:
45761-cmd.png

2) In AD, checked the user login failure logs:

45725-logs.png

So what am I missing out or doing wrong ?

Azure Data Science Virtual Machines
Azure Data Science Virtual Machines
Azure Virtual Machine images that are pre-installed, configured, and tested with several commonly used tools for data analytics, machine learning, and artificial intelligence training.
67 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,640 questions
0 comments
Accepted answer
  1. Nandan Hegde 29,896 Reputation points MVP
    2020-12-07T10:22:26.663+00:00

    Adding to the above points , when I tried to join the VM to domain via server manager :
    45726-domain.png

    got the error : 

    Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\windows\debug\dcdiag.txt.  
  
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "xyz.onmicrosoft.com":  
  
The error was: "DNS name does not exist."  
(error code 0x0000232B RCODE_NAME_ERROR)  
  
The query was for the SRV record for _ldap._tcp.dc._msdcs.xyz.onmicrosoft.com  
  
Common causes of this error include the following:  
  
- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:  
  
168.63.129.16  
  
- One or more of the following zones do not include delegation to its child zone:  
  
xyz.onmicrosoft.com  
onmicrosoft.com  
com  
. (the root zone)
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points
    2020-12-08T19:16:55.927+00:00

    Hello @Nandan Hegde , please go trough the requirements and ensure that:

    1. You're connecting from a Windows 10 PCs that is either Azure AD registered (starting Windows 10 20H1), Azure AD joined or hybrid Azure AD joined to the same directory as the VM.
    2. If using an Azure AD registered Windows 10 PC, you are entering the credentials in the AzureAD\UPN format (e.g. AzureAD\john@Company portal .com)

    Also keep in mind that once AAD login is enabled, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like on-premises AD or Azure AD DS.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    1 person found this answer helpful.