question

SamGray-0424 avatar image
0 Votes"
SamGray-0424 asked JamesTran-MSFT answered

Cannot Login to Azure AD Connected VM


I have a number of Azure AD connected VMs already provisioned and running, but these were created last year. I have zero problems logging into those with Azure user credentials. Recently I tried to create a new Azure AD connected VM (Windows 10), assigned the Virtual Machine Administrator and Virtual Machine User Login RBAC roles to my user, but cannot login to the new VM. I have no problem signing-in to the new VM with the built-in administrator account I created with the VM.

If I connect to one of my other Azure AD connected VMs (created last year) on the same subnet and attempt to ping the new VM by it's hostname (hostname.domain.com) I get no response, but pings to it's local IP are good. Alternatively, if I login to the new VM and try to ping another Azure AD connected VM (on the same subnet) by it's hostname only I get nothing, but if I ping it by its FQDN (hostname.domain.com) then I get a good ping back. Something in Azure has definitely changed that I'm not aware of, because every time I have provisioned a new VM in the past, I haven't had any problems until recently.
Any guidance or suggestions would be greatly appreciated.

Thanks.

201642-a9507a17-cc1b-4879-a168-edb536b41cc7.jpeg


azure-active-directoryazure-virtual-machines
a9507a17-cc1b-4879-a168-edb536b41cc7.jpeg (60.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

deherman-MSFT avatar image deherman-MSFT ·

@SamGray-0424 If both VMs are in the same VNET they should be able to use the hostname for resolution. Are you using Azure DNS private zone or Azure-provided name resolution?

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

0 Votes 0 ·
SamGray-0424 avatar image SamGray-0424 deherman-MSFT ·

Both VMs are connected to the same vNet, however DNS for the vNet is pointed at the AADDS, which I'm assuming was configured automatically when we set up the AADDS which we use to sync our on-prem accounts to AzureAD. We have a mix of both Azure-only and on-prem synced users. At any rate, right now DNS is "custom" with two IPs belonging to the AADDS nic. I'm a bit cautious of flipping that setting over to "Azure-provided"- I don't know what problems it may cause with on-prem users attempting to authenticate to Azure resources.

0 Votes 0 ·

2 Answers

SamGray-0424 avatar image
0 Votes"
SamGray-0424 answered

I figured this out on my own.
The VM has to be joined to the AzureAD domain via System Properties the same way it a host is joined to a on-prem AD-DC and NOT via "Access work and school".

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@SamGray-0424
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Error:

Event ID 4625: Unknown username or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064 Bade Username

207207-image.png


Solution:

The VM has to be joined to the AzureAD domain via System Properties the same way a host is joined to an on-prem AD-DC and NOT via "Access work and school".


If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (263.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.