Skip to content

UPN Lookup failed (Intermittently) #2009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 tasks done
akrytus opened this issue Dec 8, 2022 · 2 comments
Open
3 tasks done

UPN Lookup failed (Intermittently) #2009

akrytus opened this issue Dec 8, 2022 · 2 comments
Labels
Investigate

Comments

@akrytus
Copy link

akrytus commented Dec 8, 2022

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

Users connect from AVD host using FileZilla to OSSH server using AD authentication.

Expected behavior

All domain users in security group are authenticated

Actual behavior

This works for ALL USERS most of the time.

A few times a day however, NO USERS can connect for a period of 5-10 minutes. During this time UPN lookup errors are logged (as seen below). Microsoft reviewed the configuration and NSG rules and agreed everything is correct. (TrackingID#2211180040004104) Microsoft has requested that I look for help on GitHub.

Error details

This example shows the same user logged in at 10:21 successfully but could not at 16:19 on the same day.

13816 2022-12-07 10:21:35.710 debug3: lookup_principal_name: Successfully discovered explicit principal name: 'abc\rpervez'=>'[email protected]'
13816 2022-12-07 10:21:35.711 debug3: LsaLogonUser Succeeded (Impersonation: 0)

11372 2022-12-07 16:19:21.600 debug3: checking match for 'Group administrators' user mission-ag\rpervez host 172.16.4.7 addr 172.16.4.7 laddr 172.16.5.4 lport 22
11372 2022-12-07 16:19:21.621 error: lookup_principal_name: User principal name lookup failed for user 'abc\rpervez' (explicit: 1355, implicit: 1355)
11372 2022-12-07 16:19:21.621 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'abc\rpervez' Status: 0xC0000062 SubStatus 0.
11372 2022-12-07 16:19:21.621 debug3: get_user_token - unable to generate token for user abc\rpervez

Environment data

DC1/DC2: On Subnet 1 with NSG1
OpenSSH Server: Domain joined Windows Server 2022 on Subnet 2 with NSG2
Host: Windows 10 AVD host on Subnet3 with NSG3
Client: FileZilla
Note: All subnets are on the same vnet

Version

8.9.1.0

Visuals

No response
@tofDou
Copy link

tofDou commented Mar 6, 2024
edited
Loading

Equivalent issue on my side but I was originally thinking that the problem was that my Active Directory was not reacheable when problem occurs.
Did you try to force the network deconnection from your network infra to reproduce the behaviour?

@DRSDavidSoft
Copy link

Is there a possibility to entirely disable UPN lookup on a machine that is not a member of, neither probably will never be a member of an AD?

I'd like to resolve this: #1629

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DRSDavidSoft @akrytus @maertendMSFT @tofDou