Azure 文件与 FsLogix 配置文件 VHDX(Kerberos 身份验证)的连接丢失

tag-icon tag-icon networking kerberos azure-files azure-virtual-desktop
Azure 文件与 FsLogix 配置文件 VHDX(Kerberos 身份验证)的连接丢失

设置:

我们部署了 2 个配备 NVIDIA GPU 和 110GM RAM(CPU SKU = NC16as T4 v3)的多会话主机虚拟机。

会话主机(池化 AVD 配置)已加入 Entra ID 并使用 InTune 接收策略。大多数情况下一切运行良好。

我们遵循的 AVD Doc: https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-ad-joined-session-hosts

Azure 文件存储帐户(高级层)1 TB 卷,200 MiB/秒吞吐量。配置文档: https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad

所有 AVD 用户均在传统 ADDC(部署在 Azure 中)中创建,然后通过 EntraID Connect 同步到 Entra ID。遵循此文档以在 Azure 文件存储帐户上启用 Kerberos 身份验证,每个部分都已完成,ADDC 安全组(用于存储帐户共享上的 ACL 分配)均已同步到 Entra ID。 https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal

问题:

用户的 profile.vhdx 文件(存储在 Azure Files 中)随机断开连接,VM 会话崩溃,因为 Windows 无法写入 C:\users\username 中的用户配置文件。登录到同一会话主机 VM 的三个不同用户也发生了同样的事情。

这些用户都是在同一小时内断线的。他们都是在同一小时内登录的,比原先早了大约 7 个小时。

Klist 显示此存储帐户没有 kerberos 票证,它只是消失了,没有刷新。我猜 Windows 会回退到 NTLM 身份验证,并且无法访问 DC,因为会话主机未加入本地 AD 域,而是加入了 Entra ID。

Azure 文件是否出现故障?我们的 ADDC 是否出现故障,无法使用刷新的 Kerberos 票证进行回复?

来自 FsLogix 日志:

[20:35:08.091][tid:00001270.00001274][INFO]           Configuration Read (DWORD): SOFTWARE\FSLogix\Profiles\ReAttachRetryCount.  Data: 3
[20:35:08.091][tid:00001270.00001274][INFO]           Configuration Read (DWORD): SOFTWARE\FSLogix\Profiles\ReAttachIntervalSeconds.  Data: 15
[20:35:08.091][tid:00001270.00001274][INFO]           ===== Begin Session: Volume re-attach
[20:35:08.093][tid:00001270.00001274][INFO]            Session configuration read (DWORD): SOFTWARE\FSLogix\Profiles\Sessions\S-1-12-8-1199028510-1098096551-2196708500-1227410091\LogonStage = '5'(Logon_Complete)
[20:35:08.094][tid:00001270.00001274][INFO]            Session configuration read (DWORD): SOFTWARE\FSLogix\Profiles\Sessions\S-1-12-8-1827290170-1117134380-2978440076-3511415481\LogonStage = '5'(Logon_Complete)
[20:35:08.094][tid:00001270.00001274][INFO]            Session configuration read (DWORD): SOFTWARE\FSLogix\Profiles\Sessions\S-1-12-8-946945468-1263498019-3621207431-xxxx\LogonStage = '5'(Logon_Complete)
[20:35:08.095][tid:00001270.00001274][INFO]            Attempting re-attach of volume: \\?\Volume{33b768bd-fc58-444c-87ac-b40e906720eb}\ for SID: S-1-12-8-946945468-1263498019-3621207431-xxxx
[20:35:08.095][tid:00001270.00001274][INFO]            Configuration setting not found: SOFTWARE\FSLogix\Profiles\LogonSyncMutexTimeout.  Using default: 60000
[20:35:08.095][tid:00001270.00001274][INFO]            Acquired reattach virtual disk lock for user sturner (SID=S-1-12-8-946945468-1263498019-3621207431-xxxx) (Elapsed time: 0)
[20:35:08.095][tid:00001270.00001274][INFO]            VHDPath: \\sa.file.core.usgovcloudapi.net\profiles\S-1-12-8-946945468-1263498019-3621207431-xxxx_sturner\Profile_sturner.VHDX
[20:35:08.105][tid:00001270.00001274][INFO]            Username: sturner
[20:35:08.105][tid:00001270.00001274][INFO]            Attempting re-attach as the user
[20:35:08.105][tid:00001270.00001274][INFO]            Retry Count: 3  Retry Interval (seconds): 15
[20:35:08.113][tid:00001270.00001274][INFO]            Unsuccessful re-attach attempt.  Retry in 15 seconds.
[20:35:23.115][tid:00001270.00001274][INFO]            Retrying re-attach (1 of 3)
[20:35:23.115][tid:00001270.00001274][ERROR:000004f1]  Failed to read WindowsSessionID (The system cannot contact a domain controller to service the authentication request. Please try again later.)
[20:38:23.385][tid:00001270.000042e4][ERROR:00000003]   Unable to check free disk space for vhd(x): \\sa.file.core.usgovcloudapi.net\profiles\S-1-12-8-946945468-1263498019-3621207431-xxxx_sturner\Profile_sturner.VHDX (The system cannot find the path specified.)
[20:38:23.390][tid:00001270.000042e4][INFO]             Profile refcount decremented to: 0

相关内容