Unable to login: "Error: Your user account is disa...

Michael42 · ‎09-14-2015

Hello community,

since a couple of days (maybe since the update from 6.1.1 to 6.2?) i cannot login user a user account from Domain B. If i log in with a user from Domain A everything is fine.

Logging in itself works via Horizon Client - I can see all available Desktops, but as soon as I connect to a Desktop, the message "Error: Your user account is disabled" appears.

The Domain is green on the Dashboard on the connection server. Where could this error come from?

vTimD · ‎09-14-2015

Pull up the user account showing "disabled" in the Active Directory Users and Computers snap-in. Is the account, for sure, not set to disabled?

-vTimD http://www.vtimd.com If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

bansne · ‎09-14-2015

May be you forgot to have access been allowed from user B. Check the security or if enabled then AD policies

Michael42 · ‎09-14-2015

The account is not disabled in Active Directory Users and Computers. I also tested creating a new account.

Michael42 · ‎09-15-2015

Any ideas? This problem is driving me crazy. The domain account itself is good. I was even able the entitle the user as an administrator on a horizon connection server. I guess that is the proof that the user account is not disabled and communication with the domain is not a problem.

vTimD · ‎09-15-2015

Could you post a screenshot of the error? I'm just curious exactly where its coming from. Also, have you checked the windows event logs to see if anything from the user logon process is reporting?

-vTimD http://www.vtimd.com If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

larsonm · ‎09-15-2015

Edit...Is the Connection Server and desktops are in Domain A? Do you have a one-way trust, where Domain A trusts Domain B, or does a two-way trust exist?

Michael42 · ‎09-15-2015

- I checked the Windows Event logs on the client, connection server, domain and vdi desktop (nothing special)

- I checked the connection server logs (nothing special)

- I could login with RDP on the VDI desktop (not using the connection server)

I attached a screenshot.

Michael42 · ‎09-15-2015

The connection servers are in domain A, the desktops and users are in domain B. The domains have a two-way trust.

larsonm · ‎09-15-2015

Are specific logon hours set for this user account, or does the account have an expiration date?

Edit: Is the user account able to log into the desktop directly, without using View?

Also, what version of Windows and functional level of AD are these two domains?

MCNetAdmin · ‎11-03-2015

Did you find a resolution for this? We just upgraded from 6.0.1 to 6.2 last night now we have the same issue.

MiroVM · ‎02-25-2016

Hi,

did anyone find a solution for this? As per logs it looks like the server is not able to verify if the account is enabled or not so by default assumes it is. I came across the same problem when i upgraded from version 6.1 to 6.2

There are more details in this thread: View 6.2 bug? however i do not have the domain in the domain exclude list so the solution does not apply for me

dbaarty · ‎11-20-2017

Restart the ESX Appliance

HussamRabaya · ‎11-20-2017

i have encountered somehow similar issue and we found that issue is related to ADAM replication and and AD restriction

the solution was giving the connection servers computer object in AD proper permissions to read our user accounts.this we found it in one of the blogs and it worked

lostinit1 · ‎10-24-2018

I have the same error but the domain is internal?

I've completely rebuild and updated from 7.2 to 7.4 and same issue?

Can anybody else recommend anything to try?

I granted the Connection servers permissions in AD but no change?

sjesse · ‎10-24-2018

I don't think it helps, but what I do is create ad security groups in both domains, and in the domain the connection servers are in I nest the security groups from the other domain in them. You need to set the security type to domain local though in the connection servers domain though. I'd check AD logs and see if you can find any logon attempts and see if there is anything that might be related.

HussamRabaya · ‎10-24-2018

what desktop pool is this , full clone or linked clone

and is it quick prep or sysprep?

have a look in the below KB

VMware Knowledge Base

lostinit1 · ‎10-26-2018

Thanks for the replies

Its a linked Clone. I will try with instant clones.

We only have 1 domain which is what I'm finding difficult to fathom.

In the KB link

Am I granting the user groups authenticate access to the Connection servers?

Open Active Directory Users and Computers in the Trusting domain.
In the console tree, click the Computers container or the container in which your Connection server(s) objects are located.
Right-click the computer objects that you want users in the trusted domain or forest to access and click Properties. WOULD THIS BE CONNECTION SERVERS OR THE CLONES?
In the Security tab, add View user(s) or Groups from Trusted domain.
Click the user name(s) or group names and select the Allow box next to Allowed to Authenticate permission.
Click OK.

If its the Connection servers - i added the group to each connection server and ticked "allow to authenticate" but same outcome.

I can login to the first part on Horizon, its only when I click on the desktop to connect.

The logs state:

ser/group sid S-1-5-21-4022429963-2730301100-1384851047-1466 not found in Active Directory

([SESSION:dd96_***_5917]) Could not determine if user account (test) is valid for logon from AD, assuming disabled.

sjesse · ‎10-26-2018

I'm confused I thought you said you had two domains?

lostinit1 · ‎10-26-2018

Apologies, i hijacked this thread. Original post has 2 domains but I'm having the exact same issue with just a single domain?

I'm guessing the fix must be the same though?

All

Unable to login: "Error: Your user account is disabled"