SAML SSO not signing in users to a single server

Discussion in 'Parallels Remote Application Server' started by ScottR18, Nov 30, 2021.

  1. ScottR18

    ScottR18 Bit poster

    We are testing SAML SSO (via. Azure AD) in a test environment. We have everything setup exactly according to the documentation, and overall it's working well. This is on the latest RAS version -, Client
    We've come across one nagging issue - a single server won't allow users to login. When users try to connect to that server (HTML5 or Client), it throws the generic error 'To Sign-in remotely, you need the right to sign in through Remote Desktop Services'... If they hit OK on the error message - they're at the login screen with the NLAUser already put in.
    This is only affecting a single server (2022, only setup a few weeks ago). Other 2022 servers work fine (at first we thought it could be a problem with WS2022).
    This server is in the same OU and has the same policies as all of our other servers. We've confirmed the NLAUser account is added to the local 'Remote Desktop Users' group, but is also in the GPO that DENIES login via. Remote Desktop services (as per documentation). Again - this is working fine on all other machines. We're scratching our heads at this one.
    We've tried clearing GPO, clearing the local secpol database... Remove/re-add the NLAUser... Reapply GPO...Rebooted a million times, remove and re-added the Parallels SH agent (as well as PC agent - this machine doesn't allow logins as a Session host server or via. the PC Agent).
    Nothing apparent in the security logs. We set the enrollment server to verbose logging - nothing apparent in there.
    Any ideas as to why this single server is acting this way? I'd like to try and troubleshoot this issue, in case it happens again. We could replace the server and set it up again, but it's got a critical application on it that's a PITA to re-install.
    Thoughts or ideas?
  2. ScottR18

    ScottR18 Bit poster

    Update: Turns out our Anti-Virus (Sophos) was messing this up. Once disabled, logins worked flawlessly on the remaining server. Other server did not yet have Sophos Endpoint installed.
    Trishna Oobeyram likes this.
  3. BrianK28

    BrianK28 Bit poster

    Hi ScottR18, did you ever find a solution to this issue other than disabling Sophos? I'm running into this exact problem and I have removed Sophos to verify that it works without Sophos, however my security team is not going to allow disabling our AV solution to make this work. Any help is appreciated, thanks.
  4. ChristianH32

    ChristianH32 Member


Share This Page