Are you unable to authenticate to WorkSpace using WorkSpaces client in Amazon? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see steps followed by our Support Techs to resolve it.

Unable to authenticate to WorkSpace using WorkSpaces client in Amazon?

The Amazon WorkSpaces client depends on many special services and network settings.

When the client fails to load the WorkSpace, that failure is usually because one of these prerequisites is incorrectly configured or unavailable.

Today, let us see the common errors and solutions provided by our Support Techs.

After authenticating, the Amazon WorkSpaces client expands and displays a gray “Loading…” screen for a while before returning to the login screen. No other error message appears.

This error usually indicates that the Amazon WorkSpaces client can authenticate over port 443, but can’t establish a streaming connection over port 4172.

This can happen when network prerequisites aren’t met.

Issues on the client side often cause the network check in the bottom-right corner of the client to fail.

Click the icon (typically a red triangle with an exclamation point) to see which health checks are failing.

Note: The most common cause is a client-side firewall or proxy preventing access over port 4172 (TCP and UDP).

If this health check fails, check your local firewall settings.

Passing the network check often indicates a problem with network configuration on the WorkSpace.

“WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes.”

This error usually indicates that the SkyLightWorkSpacesConfigService service isn’t responding to health checks.

If you just reboot or start your WorkSpace, wait a few minutes, and then try again.

If the WorkSpace has been running for some time and you still see this error, verify that the SkyLightWorkSpacesConfigService service:

• is running
• is set to start automatically
• can communicate over the management interface (eth0)
• isn’t block by any third-party antivirus software

To verify that the SkyLightWorkSpacesConfigService service meets the preceding requirements, follow these steps:

1.Firstly, connect using RDP.

2.Then open Windows PowerShell, and then run the following command:

netstat -ano | findstr "8200"

This returns the following:

TCP Management_IP_Address_Of_WorkSpace:8200 0.0.0.0:0

If the command doesn’t return the preceding entry, verify that SkyLightWorkSpacesConfigService is running.

If it’s stops, start it. Within a minute, the service begins listening on TCP port 8200 for the private IP address of your WorkSpace.

“An error occurred while launching your WorkSpace. Please try again.”

This error often occurs when the WorkSpace can’t load the Windows desktop using PCoIP.

Check the following:

• Interactive logon banner group policies currently aren’t support on Amazon WorkSpaces.

Try moving the WorkSpace to an organizational unit (OU) where the Interactive logon: Message text for users attempting to log on group policy isn’t applied.

• If the PCoIP agent is uninstalled, reboot the WorkSpace through the Amazon WorkSpaces console to reinstall it automatically.
• This message also appears if the PCoIP Standard Agent for Windows service isn’t running.

Follow these steps to verify that the service is running, set to start automatically, and can communicate over the management interface (eth0):

1. Firstly, connect using RDP.

2. Then, open Windows PowerShell and run the following command:

netstat -ano | findstr "8200"

This returns the following:

TCP Management_IP_Address_Of_WorkSpace:8200 0.0.0.0:0

If the command doesn’t return the preceding entry, verify that SkyLightWorkSpacesConfigService is running.

If it stops, start it.

Within a minute, the service begins listening on TCP port 8200 for the private IP address of your WorkSpace.

3. Finally, run the following command:

netstat -ano | findstr "4172"

This returns the following:

TCP Management_IP_Address_Of_WorkSpace:4172 0.0.0.0:0 LISTENING

If the command doesn’t return the preceding entry, verify that PCoIP Standard Agent for Windows is running.

You can also run the following command to see if all dependencies are running:

tasklist | findstr "pcoip"

Expected output:

pcoip_agent.exe

You might also receive this error on the Amazon WorkSpaces client after a long delay if the WorkSpaces security group is modified to restrict outbound traffic.

An outbound traffic restriction prevents Windows from communicating with your directory controllers for login.

Verify that your security groups allow your WorkSpaces to communicate with your directory controllers on all required ports over its primary network interface.

“This device is not authorized to access the WorkSpace. Please contact your administrator for assistance.”

This error indicates that IP access control groups are configured on your WorkSpace directory, but the client IP address isn’t on an allow list.

Check the settings on your directory.

Confirm that the public IP address the user is connecting from allows access to the WorkSpace.

Note: By default, Linux client access is disabled.

[Need help with the process? We’d be happy to assist]

Conclusion

In short, we saw how our Support Techs resolve Authentication error in Amazon.