A customer had an AD Domain joined fleet and configured through SAML (the only way you CAN log into an AD joined fleet) and after the password prompt the session was looping and asking for their domain credentials over and over again.
After investigating the provided troubleshooting steps something was still blocking the AD joined fleet from logging in at the domain password prompt, though authentication was fine for the Image builders.
As a prerequisite for AD Domain joined fleets you cannot have an AD Logon banner displayed as it prevents the AppStream service from connecting into / accessing the streamed desktop.
In some scenarions customers will have the logon banner only display for Users and not Administrators (so you never see the prompt on an Image builder for example even if its in the same OU and of course the GPOs dont apply when accessing the Image builder with the built in AppStream administrator/template user/test users.
Snippet from the Prerequisites Page specific to this scenario: (please use the above URL for the most up to date information)
Group Policy Settings
- Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Disable or Enable software Secure Attention Sequence — Set this to Enabled for Services.
- Computer Configuration > Administrative Templates > System > Logon > Exclude credential providers — Ensure that the following CLSID is not listed:
- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message text for users attempting to log on — Set this to Not defined.
- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message title for users attempting to log on — Set this to Not defined.
As part of a simple deployment or for your simple proof of concepts we recommend you simply ensure the OU your AppStream computer objects are being created under has GPO inheritance blocked and there are no higher level GPOS forced to apply. Get the service running and confirmed as accessible and then slowly start applying the company requried GPOS for look feel and security.