The System Cannot Contact a Domain Controller to Service the Authentication Request

This page discusses the issue where FSLogix profile storage fails to load on an AVD session host, accompanied by the error message: "The system cannot contact a domain controller to service the authentication request." It includes identification steps, root causes, and a resolution guide.

Issue Description

While configuring FSLogix profile storage following the official Microsoft documentation, FSLogix on an AVD session host was unable to load the user profile. Upon further investigation through the FSLogix logs, the following error message was identified:

The system cannot contact a domain controller to service the authentication request.

This same error appeared when attempting to map the file share directly on the AVD session host.

Steps to Identify the Issue

  1. Access FSLogix Logs:
    • Navigate to C:\Program Files\FSLogix\Apps.
    • Locate and run frxtray.exe.
    • Open the application in the system tray, select Advanced View, and navigate to the Profile option on the left.
  2. Confirm the error message within the logs.

Root Cause

The issue was traced to the application’s inability to authenticate with Microsoft Entra ID (formerly Azure AD). The Entra ID sign-in logs for the affected user revealed the following error:

Sign-in error code: 90008
Failure reason: The user or administrator has not consented to use the application with ID '{appId}' ({appName}). This happened because the application is misconfigured: it must require access to Microsoft Graph by specifying at least 'Sign in and read user profile' permission.

This indicates that the storage account application used for FSLogix profile storage was not granted the necessary permissions in Entra ID to enable user sign-ins and profile loading.

Resolution

To resolve this issue, follow these steps:

Step 1: Update API Permissions in Entra ID

  1. Navigate to the Azure Portal.
  2. Go to Microsoft Entra ID > App registrations > View all applications in the directory.
  3. Locate the application ID referenced in the error logs (“{appId}” or “{appName}”).
  4. Select the application and navigate to the API Permissions section.
  5. Click Add a permission and choose Microsoft Graph.
  6. Under Delegated permissions, expand the User category.
  7. Select User.Read.
    • This permission allows the app to:
      • Sign users in.
      • Read the profiles of signed-in users.
      • Access basic company information of signed-in users.

Step 2: Grant Admin Consent

  1. After adding the permission, click Grant admin consent for [your organisation’s name] in the API Permissions section.
  2. Confirm the action to ensure the application can access the required resources without individual user consent.

Step 3: Verify Changes

  1. Restart the FSLogix services on the AVD session host.
  2. Attempt to sign in again to confirm that the profiles load correctly.
  3. Check for any residual errors in the FSLogix logs to ensure all issues have been resolved.

Conclusion

The FSLogix profile loading issue was resolved by correctly configuring the permissions for the associated storage account application in Microsoft Entra ID. Ensuring that the application has the User.Read permission for Microsoft Graph satisfies the requirement to “Sign in and read user profile,” as specified in the error logs. This enables FSLogix to authenticate successfully and load user profiles on the AVD session host. Further reading: User and admin consent in Microsoft Entra ID.

Was this page helpful?