Aws workspace logs

Aws workspace logs DEFAULT

Troubleshoot WorkSpaces client issues

The following are common issues that you might have with your WorkSpaces client.

Issues

  • I didn't receive an email with my Amazon WorkSpaces registration code
  • The Amazon WorkSpaces Application Manager client application isn't appearing on my Windows WorkSpace desktop
  • I don't see any applications listed in the Amazon WorkSpaces Application Manager client application
  • After logging in, the Windows client application displays only a white page and I cannot connect to my WorkSpace
  • My WorkSpaces client gives me a network error, but I am able to use other network-enabled apps on my device
  • It sometimes takes several minutes to log in to my Windows WorkSpace
  • When I try to log in, the Amazon WorkSpaces Windows client gets stuck on the "Preparing your login page" screen
  • When I try to log in, I get the error message: "No network. Network connection lost. Check your network connection or contact your administrator for help."
  • The Amazon WorkSpaces Windows client application login page is very tiny
  • I see the following error message: "WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes."
  • Sometimes I am logged off of my Windows WorkSpace, even though I closed the session, but did not log off
  • I forgot my password and tried to reset it, but I didn’t receive an email with a reset link
  • I can't connect to the internet from my WorkSpace
  • I installed a third-party security software package and now I can't connect to my WorkSpace
  • I am getting a "network connection is slow" warning when connected to my WorkSpace
  • I got an "invalid certificate" error on the client application. What does that mean?
  • I'm having trouble when I try to connect to my Windows WorkSpace using Web Access
  • I see the following error message: "Device can't connect to the registration service. Check your network settings."
  • I skipped an update to my client application and am having trouble updating my client to the latest version
  • My headset doesn't work in my WorkSpace
  • I am unable to install the Android client application on my Chromebook
  • I'm getting the wrong characters when I type; for example, I get \ and | when I try to type quotation marks (' and ")
  • The WorkSpaces client application won't run on my Mac
  • I'm having trouble using the Windows logo key in Windows WorkSpaces when working on a Mac
  • My WorkSpace looks blurry on my Mac
  • I'm having trouble copying and pasting
  • My screen is flickering or not updating properly, or my mouse isn't clicking in the right place

I didn't receive an email with my Amazon WorkSpaces registration code

Contact your WorkSpaces administrator for assistance.

The Amazon WorkSpaces Application Manager client application isn't appearing on my Windows WorkSpace desktop

The Amazon WAM shortcut should be installed on the Windows WorkSpaces client desktop. If the shortcut isn't on the client desktop, see Troubleshooting Amazon WAM Issues in the Amazon WAM User Guide.

I don't see any applications listed in the Amazon WorkSpaces Application Manager client application

Choose MY APPS to see the applications that your admin has specified to install by default on your WorkSpace. Choose DISCOVER to see the applications that your admin has made available for you to install.

After logging in, the Windows client application displays only a white page and I cannot connect to my WorkSpace

This problem can be caused by expired Verisign/Symantec certificates on your client computer (not your WorkSpace). Remove the expired certificate and launch the client application again.

To find and remove expired Verisign/Symantec certificates

  1. In the Windows Control Panel on your client computer (not your WorkSpace), choose Network and Internet.

  2. Choose Internet Options.

  3. In the Internet Properties dialog box, choose Content, Certificates.

  4. In the Certificates dialog box, choose the Intermediate Certificate Authorities tab. In the list of certificates, select all certificates that were issued by Verisign or Symantec that are also expired, and choose Remove. Do not remove any certificates that are not expired.

  5. On the Trusted Root Certificate Authorities tab, select all certificates that were issued by Verisign or Symantec that are also expired, and choose Remove. Do not remove any certificates that are not expired.

  6. Close the Certificates dialog box and the Internet Properties dialog box.

My WorkSpaces client gives me a network error, but I am able to use other network-enabled apps on my device

The WorkSpaces client applications rely on access to resources in the AWS Cloud, and require a connection that provides at least 1 Mbps download bandwidth. If your device has an intermittent connection to the network, the WorkSpaces client application might report an issue with the network.

WorkSpaces enforces the use of digital certificates issued by Amazon Trust Services, as of May 2018. Amazon Trust Services is already a trusted Root certificate authority (CA) on the operating systems that are supported by WorkSpaces. If the Root CA list for your operating system is not up to date, your device cannot connect to WorkSpaces and the client gives a network error.

To recognize connection issues due to certificate failures

  • PCoIP zero clients — The following error message is displayed:

    Failed to connect. The server provided a certificate that is invalid. See below for details: - The supplied certificate is invalid due to timestamp - The supplied certificate is not rooted in the devices local certificate store
  • Other clients — The health checks fail with a red warning triangle for Internet.

To resolve certificate failures

Use one of the following solutions for certificate failures.

  • For the Windows client, download and install the latest Windows client application from Amazon WorkSpaces Client Downloads. During installation, the client application ensures that your operating system trusts certificates issued by Amazon Trust Services. If updating your client does not resolve the issue, contact your Amazon WorkSpaces administrator.

  • For all other clients, contact your Amazon WorkSpaces administrator.

It sometimes takes several minutes to log in to my Windows WorkSpace

Group Policy settings that are set by your system administrator can cause a delay on login after your Windows WorkSpace has been launched or rebooted. This delay occurs while the Group Policy settings are being applied to the WorkSpace, and is normal.

When I try to log in, the Amazon WorkSpaces Windows client gets stuck on the "Preparing your login page" screen

When starting versions 3.0.4 and 3.0.5 of the WorkSpaces Windows client application on a Windows 10 machine, the client might get stuck on the "Preparing your login page" screen. To avoid this issue, either upgrade to version 3.0.6 of the Windows client application or do not run the Windows client application with administrator (elevated) privileges.

When I try to log in, I get the error message: "No network. Network connection lost. Check your network connection or contact your administrator for help."

When you try to log in to your WorkSpace using some 3.0+ versions of the Windows, macOS, and Linux WorkSpaces client applications, you might receive a "No network" error on the login page if you have specified a custom proxy server.

  • Windows client — To avoid this issue with the Windows client, upgrade to version 3.0.12 or later. For more information about configuring the proxy server settings in the Windows client, see Proxy Server for Windows Client.

  • macOS client — To work around this issue, use the proxy server that's specified in the device operating system instead of using a custom proxy server. For more information about configuring the proxy server settings in the macOS client, see Proxy Server for macOS Client.

  • Linux client — To avoid this issue with the Linux client, upgrade to version 3.1.5 or later. If you can't upgrade, you can work around this issue by using the proxy server that's specified in the device operating system instead of using a custom proxy server. For more information about configuring the proxy server settings in the Linux client, see Proxy Server for Linux Client.

The Amazon WorkSpaces Windows client application login page is very tiny

Running the WorkSpaces Windows client with administrator (elevated) privileges might result in viewing issues in high DPI environments. To avoid these issues, run the client in user mode instead.

I see the following error message: "WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes."

If you just started or restarted your WorkSpace, wait a few minutes, and then try to log in again.

If you continue to receive this error message, you can try the following actions (if your WorkSpaces administrator has enabled you to do them):

If you are unable to restart or rebuild the WorkSpace yourself, or if you continue to see the error message after doing so, contact your WorkSpaces administrator for assistance.

Sometimes I am logged off of my Windows WorkSpace, even though I closed the session, but did not log off

Your system administrator applied a new or updated Group Policy setting to your Windows WorkSpace that requires a logoff of a disconnected session.

I forgot my password and tried to reset it, but I didn’t receive an email with a reset link

Contact your WorkSpaces administrator for assistance.

I can't connect to the internet from my WorkSpace

WorkSpaces cannot communicate with the internet by default. Your Amazon WorkSpaces administrator must explicitly provide internet access.

I installed a third-party security software package and now I can't connect to my WorkSpace

You can install any type of security or firewall software on your WorkSpace, but WorkSpaces requires that certain inbound and outbound ports are open on the WorkSpace. If the security or firewall software that you install blocks these ports, the WorkSpace might not function correctly or might become unreachable. For more information, see Port Requirements for WorkSpaces in the Amazon WorkSpaces Administration Guide.

To restore your WorkSpace, rebuild your WorkSpace if you still have access to it, or ask your Amazon WorkSpaces administrator to rebuild your WorkSpace. You then have to reinstall the software and properly configure port access for your WorkSpace.

I am getting a "network connection is slow" warning when connected to my WorkSpace

If the round-trip time from your client to your WorkSpace is longer than 100ms, you can still use your WorkSpace, but this might result in a poor experience. A slow round-trip time can be caused by many factors, but the following are the most common causes:

  • You are too far from the AWS Region that your WorkSpace resides in. For the best WorkSpace experience, you should be within 2,000 miles of the AWS Region that your WorkSpace is in.

  • Your network connection is inconsistent or slow. For the best experience, your network connection should provide at least 300 kbps, with capability to provide over 1 Mbps when viewing video or using graphics-intensive applications on your WorkSpace.

I got an "invalid certificate" error on the client application. What does that mean?

The WorkSpaces client application validates the identity of the WorkSpaces service through an SSL/TLS certificate. If the root certificate authority of the Amazon WorkSpaces service cannot be verified, the client application displays an error and prevents any connection to the service. The most common cause is a proxy server that is removing the root certificate authority and returning an incomplete certificate to the client application. Contact your network administrator for assistance.

I'm having trouble when I try to connect to my Windows WorkSpace using Web Access

Windows WorkSpaces rely on a specific login screen configuration to enable you to log in from your Web Access client. Your Amazon WorkSpaces administrator might need to configure Group Policy and Security Policy settings to enable you to log in to your WorkSpace from your Web Access client. If these settings are not correctly configured, you might experience long login times or black screens when you try to log in to your WorkSpace. Contact your Amazon WorkSpaces administrator for assistance.

Important

Beginning October 1, 2020, customers will no longer be able to use the Amazon WorkSpaces Web Access client to connect to Windows 7 custom WorkSpaces or to Windows 7 Bring Your Own License (BYOL) WorkSpaces.

I see the following error message: "Device can't connect to the registration service. Check your network settings."

When a registration service failure occurs, you might see the following error message on the Connection Health Check page: "Your device is not able to connect to the WorkSpaces Registration service. You will not be able to register your device with WorkSpaces. Please check your network settings."

This error occurs when the WorkSpaces client application can't reach the registration service. Contact your Amazon WorkSpaces administrator for assistance.

I skipped an update to my client application and am having trouble updating my client to the latest version

If you've skipped an update to your Amazon WorkSpaces Windows client application and now want to update to the latest version of the client, see Update the WorkSpaces Windows client application to a newer version.

If you've skipped an update to your Amazon WorkSpaces macOS client application and now want to update to the latest version of the client, see Update the WorkSpaces macOS client application to a newer version.

My headset doesn't work in my WorkSpace

If you're using the Android, iPad, macOS, Linux, or Windows client application for Amazon WorkSpaces, and you're having trouble using your headset in your WorkSpace, try the following steps:

  1. Disconnect from your WorkSpace (choose Amazon WorkSpaces, Disconnect WorkSpace).

  2. Unplug your headset, and then plug it back in. Verify that it works on your local computer or tablet. For a USB headset, make sure that it shows up as a playback device locally on your computer or tablet:

    • For Windows, check the devices listed in the Control Panel under Hardware and Sound > Sound. In the Sound dialog box, choose the Playback tab.

    • For macOS, choose the Apple menu > System Preferences > Sound > Output.

    • For iPad, open the Control Center and tap the AirPlay
                                    Airplay button
                                button.

    • For Chromebook, open the system tray, and then choose the headphone icon next to the volume slider. Select the devices that you want to use for audio input and output.

  3. Reconnect to your WorkSpace.

Your headset should now work in your WorkSpace. If you're still having trouble with your headset, contact your WorkSpaces administrator.

Note

Audio currently is not supported on Linux WorkSpaces using the WorkSpaces Streaming Protocol (WSP).

I am unable to install the Android client application on my Chromebook

Version 2.4.13 is the final release of the Amazon WorkSpaces Chromebook client application. Because Google is phasing out support for Chrome Apps, there will be no further updates to the WorkSpaces Chromebook client application, and its use is unsupported.

For Chromebooks that support installing Android applications, we recommend using the WorkSpaces Android client application instead.

If you are using a Chromebook launched before 2019, see the installation steps for Chromebooks launched before 2019 before attempting to install the Amazon WorkSpaces Android client application.

In some cases, your WorkSpaces administrator might need to enable your Chromebook to install Android applications. If you are unable to install the Android client application on your Chromebook, contact your WorkSpaces administrator for assistance.

I'm getting the wrong characters when I type; for example, I get \ and | when I try to type quotation marks (' and ")

This behavior might occur if your device is not set to the same language as your WorkSpace, or if you're using a language-specific keyboard, such as a French keyboard.

To resolve this issue, see Amazon WorkSpaces language and keyboard support.

The WorkSpaces client application won't run on my Mac

If you try to run older versions of the WorkSpaces client application on your Mac, the client application might not start, and you might receive security warnings such as the following:

"WorkSpaces.app will damage your computer. You should move it to the Trash.""WorkSpaces.app is damaged and can't be opened. You should move it to the Trash."

If you use macOS 10.15 (Catalina) or later, you must use version 3.0.2 or later of the macOS client.

Versions 2.5.11 and earlier of the macOS client can no longer be installed on macOS devices. These versions also no longer work on devices with macOS Catalina or later.

If you are using version 2.5.11 or earlier and you upgrade from an older version of macOS to Catalina or later, you will no longer be able to use the 2.5.11 or earlier client.

To resolve this issue, we recommend that affected users upgrade to the latest version of the macOS client that is available for download at Amazon WorkSpaces Client Downloads .

For more information about installing or updating the macOS client, see Setup and installation.

I'm having trouble using the Windows logo key in Windows WorkSpaces when working on a Mac

By default, the Windows logo key on a Windows keyboard and the Command key on an Apple keyboard are both mapped to the Ctrl key when you're using the Amazon WorkSpaces macOS client application. If you want to change this behavior so that these two keys are mapped to the Windows logo key, see Remap the Windows logo key or the Command key for instructions on how to remap these keys.

My WorkSpace looks blurry on my Mac

If your screen resolution in WorkSpaces is low and objects look blurry, you need to turn on high DPI mode and adjust the display scaling settings on your Mac. For more information, see WorkSpaces high DPI display support.

I'm having trouble copying and pasting

If you are having trouble copying and pasting, confirm the following to help solve your issue:

  • Your administrator has enabled clipboard redirection for your WorkSpace.

    Note

    Clipboard redirection isn’t supported in the WorkSpaces Linux client application.

  • The uncompressed object size is under the maximum of 20 MB.

  • The data type that you copied is supported for clipboard redirection. For a list of supported data types, see Understanding Cloud Access Software Copy/Paste Feature in the Teradici documentation.

My screen is flickering or not updating properly, or my mouse isn't clicking in the right place

If you're using a version of the Amazon WorkSpaces Windows client application prior to version 3.1.4, you might experience the following screen update issues, caused by hardware acceleration:

  • The screen might have flickering black boxes in some places.

  • The screen might not properly update on the WorkSpaces login page, or it might not properly update after you log in to your WorkSpace. You might see artifacts on the screen.

  • Your mouse clicks might not be lined up with the cursor position on the screen.

To address these issues, we recommend upgrading to version 3.1.4 or later of the Windows client application. Starting with version 3.1.4, hardware acceleration is turned off by default in the Windows client application.

However, if you need to enable hardware acceleration in version 3.1.4 or later, for example if you're experiencing slow performance when using the client, see Manage hardware acceleration.

If you need to use version 3.1.3 or earlier of the Windows client application, you can disable hardware acceleration in Windows. To disable hardware acceleration for version 3.1.3 or earlier, see Managing Hardware Acceleration. Disabling hardware acceleration in Windows might affect the performance of other Windows applications.

Sours: https://docs.aws.amazon.com/workspaces/latest/userguide/client_troubleshooting.html

Troubleshoot WorkSpaces issues

The following information can help you troubleshoot issues with your WorkSpaces.

Enabling advanced logging

To help troubleshoot issues that your users might experience, you can enable advanced logging on any Amazon WorkSpaces client.

Advanced logging generates log files that contain diagnostic information and debugging-level details, including verbose performance data. For the 1.0+ and 2.0+ clients, these advanced logging files are automatically uploaded to a database in AWS.

Note

To have AWS review the log files that are generated by advanced logging and to receive technical support for issues with your WorkSpaces clients, contact AWS Support. For more information, see AWS Support Center.

Troubleshoot specific issues

The following information can help you troubleshoot specific issues with your WorkSpaces.

I can't create an Amazon Linux WorkSpace because there are non-valid characters in the user name

For Amazon Linux WorkSpaces, user names:

  • Can contain a maximum of 20 characters

  • Can contain letters, spaces, and numbers that are representable in UTF-8

  • Can include the following special characters: _.-#

  • Cannot begin with a dash symbol (-) as the first character of the user name

Note

These limitations do not apply to Windows WorkSpaces. Windows WorkSpaces support the @ and - symbols for all characters in the user name.

I changed the shell for my Amazon Linux WorkSpace and now I can't provision a PCoIP session

To override the default shell for Linux WorkSpaces, see Override the default shell for Amazon Linux WorkSpaces.

My Amazon Linux WorkSpaces won't start

Starting July 20, 2020, Amazon Linux WorkSpaces will be using new license certificates. These new certificates are compatible only with versions 2.14.1.1, 2.14.7, 2.14.9, and 20.10.6 or later of the PCoIP agent.

If you're using an unsupported version of the PCoIP agent, you must upgrade it to the latest version (20.10.6), which has the latest fixes and performance improvements that are compatible with the new certificates. If you don't make these upgrades by July 20, session provisioning for your Linux WorkSpaces will fail and your end users won't be able to connect to their WorkSpaces.

To upgrade your PCoIP agent to the latest version

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose WorkSpaces.

  3. Select your Linux WorkSpace, and reboot it by choosing Actions, Reboot WorkSpaces. If the WorkSpace status is , you must choose Actions, Start WorkSpaces first and wait until its status is before you can reboot it.

  4. After your WorkSpace has rebooted and its status is , we recommend that you change the status of the WorkSpace to while you are performing this upgrade. When you are finished, change the status of the WorkSpace to . For more information about mode, see Manual Maintenance.

    To change the status of a WorkSpace to , do the following:

    1. Select the WorkSpace and choose Actions, Modify WorkSpace.

    2. Choose Modify State.

    3. For Intended State, select ADMIN_MAINTENANCE.

    4. Choose Modify.

  5. Connect to your Linux WorkSpace through SSH. For more information, see Enable SSH connections for your Linux WorkSpaces.

  6. To update the PCoIP agent, run the following command:

  7. To verify the agent version and to confirm that the update succeeded, run the following command:

    The verification command should produce following result:

  8. Disconnect from the WorkSpace and reboot it again.

  9. If you set the status of the WorkSpace to in Step 4, repeat Step 4 and set Intended State to .

If your Linux WorkSpace still fails to start after you upgrade the PCoIP agent, contact AWS Support.

Launching WorkSpaces in my connected directory often fails

Verify that the two DNS servers or domain controllers in your on-premises directory are accessible from each of the subnets that you specified when you connected to your directory. You can verify this connectivity by launching an Amazon EC2 instance in each subnet and joining the instance to your directory using the IP addresses of the two DNS servers.

Launching WorkSpaces fails with an internal error

Check whether your subnets are configured to automatically assign IPv6 addresses to instances launched in the subnet. To check this setting, open the Amazon VPC console, select your subnet, and choose Subnet Actions, Modify auto-assign IP settings. If this setting is enabled, you cannot launch WorkSpaces using the Performance or Graphics bundles. Instead, disable this setting and specify IPv6 addresses manually when you launch your instances.

When I try to register a directory, the registration fails and leaves the directory in an ERROR state

This problem can occur if you're trying to register an AWS Managed Microsoft AD directory that has been configured for multi-Region replication. Although the directory in the primary Region can be successfully registered for use with Amazon WorkSpaces, attempting to register the directory in a replicated Region fails. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

My users can't connect to a Windows WorkSpace with an interactive logon banner

If an interactive logon message has been implemented to display a logon banner, this prevents users from being able to access their Windows WorkSpaces. The interactive logon message Group Policy setting is not currently supported by WorkSpaces. Move the WorkSpaces to an organizational unit (OU) where the Interactive logon: Message text for users attempting to log on Group Policy isn’t applied.

My users can't connect to a Windows WorkSpace

My users receive the following error when they try to connect to their Windows WorkSpaces:

"An error occurred while launching your WorkSpace. Please try again."

This error often occurs when the WorkSpace can't load the Windows desktop using PCoIP. Check the following:

  • This message appears if the PCoIP Standard Agent for Windows service is not running. Connect using RDP to verify that the service is running, that it's set to start automatically, and that it can communicate over the management interface (eth0).

  • If the PCoIP agent was uninstalled, reboot the WorkSpace through the Amazon WorkSpaces console to reinstall it automatically.

  • You might also receive this error on the Amazon WorkSpaces client after a long delay if the WorkSpaces security group was modified to restrict outbound traffic. Restricting outbound traffic prevents Windows from communicating with your directory controllers for login. Verify that your security groups allow your WorkSpaces to communicate with your directory controllers on all required ports over the primary network interface.

Another cause of this error is related to the User Rights Assignment Group Policy. If the following group policy is incorrectly configured, it prevents users from being able to access their Windows WorkSpaces:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

  • Incorrect policy:

    Policy: Access this computer from the network

    Setting: \Domain Computers

    Winning GPO: Allow File Access

  • Correct policy:

    Policy: Access this computer from the network

    Setting: \Domain Users

    Winning GPO: Allow File Access

Note

This policy setting should be applied to Domain Users instead of Domain Computers.

For more information, see Access this computer from the network - security policy setting and Configure security policy settings in the Microsoft Windows documentation.

My users are having issues when they try to log on to WorkSpaces from WorkSpaces Web Access

Amazon WorkSpaces relies on a specific logon screen configuration to enable users to successfully log on from their Web Access client.

To enable Web Access users to log on to their WorkSpaces, you must configure a Group Policy setting and three Security Policy settings. If these settings are not correctly configured, users might experience long logon times or black screens when they try to log on to their WorkSpaces. To configure these settings, see Enable and configure Amazon WorkSpaces Web Access.

Important

Beginning October 1, 2020, customers will no longer be able to use the Amazon WorkSpaces Web Access client to connect to Windows 7 custom WorkSpaces or to Windows 7 Bring Your Own License (BYOL) WorkSpaces.

The Amazon WorkSpaces client displays a gray "Loading..." screen for a while before returning to the login screen. No other error message appears.

This behavior usually indicates that the WorkSpaces client can authenticate over port 443, but can't establish a streaming connection over port 4172 (PCoIP) or port 4195 (WSP). This situation can occur when network prerequisites aren't met. Issues on the client side often cause the network check in the client to fail. To see which health checks are failing, choose the network check icon (typically a red triangle with an exclamation point in the bottom-right corner of the login screen for 2.0+ clients or the network icon 
                        Network icon
                    in the upper-right corner of the 3.0+ clients).

Note

The most common cause of this problem is a client-side firewall or proxy preventing access over port 4172 or 4195 (TCP and UDP). If this health check fails, check your local firewall settings.

If the network check passes, there might be a problem with the network configuration of the WorkSpace. For example, a Windows Firewall rule might block port UDP 4172 or 4195 on the management interface. Connect to the WorkSpace using a Remote Desktop Protocol (RDP) client to verify that the WorkSpace meets the necessary port requirements.

My users receive the message "WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes."

This error usually indicates the SkyLightWorkSpacesConfigService service isn't responding to health checks.

If you just rebooted or started your WorkSpace, wait a few minutes, and then try again.

If the WorkSpace has been running for some time and you still see this error, connect using RDP to verify that the SkyLightWorkSpacesConfigService service:

  • Is set to start automatically.

  • Can communicate over the management interface (eth0).

  • Isn't blocked by any third-party antivirus software.

My users receive the message "This device is not authorized to access the WorkSpace. Please contact your administrator for assistance."

This error indicates that IP access control groups are configured on the WorkSpace directory, but the client IP address isn't whitelisted.

Check the settings on your directory. Confirm that the public IP address the user is connecting from allows access to the WorkSpace.

My users receive the message "No network. Network connection lost. Check your network connection or contact your administrator for help." when trying to connect to a WSP WorkSpace

If this error occurs and your users don't have connectivity issues, make sure that port 4195 is open on your network's firewalls. For WorkSpaces using the WorkSpaces Streaming Protocol (WSP), the port used to stream the client session was changed from 4172 to 4195.

The WorkSpaces client gives my users a network error, but they are able to use other network-enabled apps on their devices

The WorkSpaces client applications rely on access to resources in the AWS Cloud, and require a connection that provides at least 1 Mbps download bandwidth. If a device has an intermittent connection to the network, the WorkSpaces client application might report an issue with the network.

WorkSpaces enforces the use of digital certificates issued by Amazon Trust Services, as of May 2018. Amazon Trust Services is already a trusted Root CA on the operating systems that are supported by WorkSpaces. If the Root CA list for the operating system is not up to date, the device cannot connect to WorkSpaces and the client gives a network error.

To recognize connection issues due to certificate failures

  • PCoIP zero clients — The following error message is displayed.

    Failed to connect. The server provided a certificate that is invalid. See below for details: - The supplied certificate is invalid due to timestamp - The supplied certificate is not rooted in the devices local certificate store
  • Other clients — The health checks fail with a red warning triangle for Internet.

To resolve certificate failures

Windows client application

Use one of the following solutions for certificate failures.

Solution 1: Update the client application

Download and install the latest Windows client application from Amazon WorkSpaces Client Downloads. During installation, the client application ensures that your operating system trusts certificates issued by Amazon Trust Services.

Solution 2: Add Amazon Trust Services to the local Root CA list

  1. Open https://www.amazontrust.com/repository/.

  2. Download the Starfield certificate in DER format (2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92).

  3. Open the Microsoft Management Console. (From the Command Prompt, run mmc.)

  4. Choose File, Add/Remove Snap-in, Certificates, Add.

  5. On the Certificates snap-in page, select Computer account and choose Next. Keep the default, Local computer. Choose Finish. Choose OK.

  6. Expand Certificates (Local Computer) and select Trusted Root Certification Authorities. Choose Action, All Tasks, Import.

  7. Follow the wizard to import the certificate that you downloaded.

  8. Exit and restart the WorkSpaces client application.

Solution 3: Deploy Amazon Trust Services as a trusted CA using Group Policy

Add the Starfield certificate to the trusted Root CAs for the domain using Group Policy. For more information, see Use Policy to Distribute Certificates.

PCoIP zero clients

To connect directly to a WorkSpace using firmware version 6.0 or later, download and install the certificate issued by Amazon Trust Services.

To add Amazon Trust Services as a trusted Root CA

  1. Open https://certs.secureserver.net/repository/.

  2. Download the certificate under Starfield Certificate Chain with the thumbprint 14 65 FA 20 53 97 B8 76 FA A6 F0 A9 95 8E 55 90 E4 0F CC 7F AA 4F B7 C2 C8 67 75 21 FB 5F B6 58.

  3. Upload the certificate to the zero client. For more information, see Uploading Certificates in the Teradici documentation.

Other client applications

Add the Starfield certificate (2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92) from Amazon Trust Services. For more information about how to add a Root CA, see the following documentation:

My WorkSpace users see the following error message: "Device can't connect to the registration service. Check your network settings."

When a registration service failure occurs, your WorkSpace users might see the following error message on the Connection Health Check page: "Your device is not able to connect to the WorkSpaces Registration service. You will not be able to register your device with WorkSpaces. Please check your network settings."

This error occurs when the WorkSpaces client application can't reach the registration service. Typically, this happens when the WorkSpaces directory has been deleted. To resolve this error, make sure that the registration code is valid and corresponds to a running directory in the AWS Cloud.

My PCoIP zero client users are receiving the error "The supplied certificate is invalid due to timestamp"

If Network Time Protocol (NTP) isn't enabled in Teradici, your PCoIP zero client users might receive certificate failure errors. To set up NTP, see Set up PCoIP zero clients for WorkSpaces.

USB printers and other USB peripherals aren't working for PCoIP zero clients

Starting with version 20.10.4 of the PCoIP agent, Amazon WorkSpaces disables USB redirection by default through the Windows registry. This registry setting affects the behavior of USB peripherals when your users are using PCoIP zero client devices to connect to their WorkSpaces.

If your WorkSpaces are using version 20.10.4 or later of the PCoIP agent, USB peripheral devices won't work with PCoIP zero client devices until you've enabled USB redirection.

Note

If you're using 32-bit virtual printer drivers, you must also update those drivers to their 64-bit versions.

To enable USB redirection for PCoIP zero client devices

We recommend that you push out these registry changes to your WorkSpaces through Group Policy. For more information, see Configuring the agent and Configurable settings in the Teradici documentation.

  1. Set the following registry key value to 1 (enabled):

    KeyPath = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin

    KeyName = pcoip.enable_usb

    KeyType = DWORD

    KeyValue = 1

  2. Set the following registry key value to 1 (enabled):

    KeyPath = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin_defaults

    KeyName = pcoip.enable_usb

    KeyType = DWORD

    KeyValue = 1

  3. If you haven't already done so, log out of the WorkSpace, and then log back in. Your USB devices should now work.

My users skipped updating their Windows or macOS client applications and aren't getting prompted to install the latest version

When users skip updates to the Amazon WorkSpaces Windows client application, the SkipThisVersion registry key gets set, and they are no longer prompted to update their clients when a new version of the client is released. To update to the latest version, you can edit the registry as described in Update the WorkSpaces Windows Client Application to a Newer Version in the Amazon WorkSpaces User Guide. You can also run the following PowerShell command:

When users skip updates to the Amazon WorkSpaces macOS client application, the preference gets set, and they are no longer prompted to update their clients when a new version of the client is released. To update to the latest version, you can reset this preference as described in Update the WorkSpaces macOS Client Application to a Newer Version in the Amazon WorkSpaces User Guide.

My users are unable to install the Android client application on their Chromebooks

Version 2.4.13 is the final release of the Amazon WorkSpaces Chromebook client application. Because Google is phasing out support for Chrome Apps, there will be no further updates to the WorkSpaces Chromebook client application, and its use is unsupported.

For Chromebooks that support installing Android applications, we recommend using the WorkSpaces Android client application instead.

In some cases, you might need to enable your users' Chromebooks to install Android applications. For more information, see Set up Android for Chromebooks.

My users aren't receiving invitation emails or password reset emails

Users do not automatically receive welcome or password reset emails for WorkSpaces that were created using AD Connector or a trusted domain. Invitation emails also aren't sent automatically if the user already exists in Active Directory.

To manually send welcome emails to these users, see Send an invitation email.

To reset user passwords, see Set up Active Directory Administration Tools for WorkSpaces.

My users don't see the Forgot password? option on the client login screen

If you're using AD Connector or a trusted domain, your users won't be able to reset their own passwords. (The Forgot password? option on the WorkSpaces client application login screen won't be available.) For information about how to reset user passwords, see Set up Active Directory Administration Tools for WorkSpaces.

I receive the message "The system administrator has set policies to prevent this installation" when I try to install applications on a Windows WorkSpace

You can address this issue by modifying the Windows Installer Group Policy setting. To deploy this policy to multiple WorkSpaces in your directory, apply this setting to a Group Policy object that is linked to the WorkSpaces organizational unit (OU) from a domain-joined EC2 instance. If you are using AD Connector, you can make these changes from a domain controller. For more information about using the Active Directory administration tools to work with Group Policy objects, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide.

The following procedure shows how to configure the Windows Installer setting for the WorkSpaces Group Policy object.

  1. Make sure that the most recent WorkSpaces Group Policy administrative template is installed in your domain.

  2. Open the Group Policy Management tool on your Windows WorkSpace client and navigate to and select the WorkSpaces Group Policy object for your WorkSpaces machine accounts. From the main menu, choose Action, Edit.

  3. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Classic Administrative Templates, Windows Components, Windows Installer.

  4. Open the Turn Off Windows Installer setting.

  5. In the Turn Off Windows Installer dialog box, change Not Configured to Enabled, and then set Disable Windows Installer to Never.

  6. Choose OK.

  7. To apply the group policy changes, do one of the following:

    • Reboot the WorkSpace (in the WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • From an administrative command prompt, enter gpupdate /force.

No WorkSpaces in my directory can connect to the internet

WorkSpaces cannot communicate with the internet by default. You must explicitly provide internet access. For more information, see Provide internet access from your WorkSpace.

My WorkSpace has lost its internet access

If your WorkSpace has lost access to the internet and you can't connect to the WorkSpace by using RDP, this issue is probably caused by the loss of the public IP address for the WorkSpace. If you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool.

To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

We recommend that you not modify the elastic network interface of a WorkSpace after the WorkSpace is launched. After an Elastic IP address has been assigned to a WorkSpace, the WorkSpace retains the same public IP address (unless the WorkSpace is rebuilt, in which case it gets a new public IP address).

I receive a "DNS unavailable" error when I try to connect to my on-premises directory

You receive an error message similar to the following when connecting to your on-premises directory.

DNS unavailable (TCP port 53) for IP:

AD Connector must be able to communicate with your on-premises DNS servers via TCP and UDP over port 53. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over this port.

I receive a "Connectivity issues detected" error when I try to connect to my on-premises directory

You receive an error message similar to the following when connecting to your on-premises directory.

Connectivity issues detected: LDAP unavailable (TCP port 389) for IP: Kerberos/authentication unavailable (TCP port 88) for IP: Please ensure that the listed ports are available and retry the operation.

AD Connector must be able to communicate with your on-premises domain controllers via TCP and UDP over the following ports. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over these ports:

I receive an "SRV record" error when I try to connect to my on-premises directory

You receive an error message similar to one or more of the following when connecting to your on-premises directory.

SRV record for LDAP does not exist for IP: SRV record for Kerberos does not exist for IP:

AD Connector needs to obtain the and SRV records when connecting to your directory. You get this error if the service cannot obtain these records from the DNS servers that you specified when connecting to your directory. Make sure that your DNS servers contain these SRV records. For more information, see SRV Resource Records on Microsoft TechNet.

My Windows WorkSpace goes to sleep when it's left idle

To resolve this issue, connect to the WorkSpace and change the power plan to High performance by using the following procedure:

  1. From the WorkSpace, open Control Panel, then choose Hardware or choose Hardware and Sound (the name might differ, depending on your version of Windows).

  2. Under Power Options, choose Choose a power plan.

  3. In the Choose or customize a power plan pane, choose the High performance power plan, and then choose Change plan settings.

    • If the option to choose the High performance power plan is disabled, choose Change settings that are currently unavailable, and then choose the High performance power plan.

    • If the High performance plan isn't visible, choose the arrow to the right of Show additional plans to display it, or choose Create a power plan in the left navigation, choose High performance, give the power plan a name, and then choose Next.

  4. On the Change settings for the plan: High performance page, make sure Turn off the display and (if available) Put the computer to sleep are set to Never.

  5. If you made any changes to the high performance plan, choose Save changes (or choose Create if you're creating a new plan).

If the preceding steps do not solve the issue, do the following:

  1. From the WorkSpace, open Control Panel, then choose Hardware or choose Hardware and Sound (the name might differ, depending on your version of Windows).

  2. Under Power Options, choose Choose a power plan.

  3. In the Choose or customize a power plan pane, choose the Change plan settings link to the right of the High performance power plan, then choose the Change advanced power settings link.

  4. In the Power Options dialog box, in the list of settings, choose the plus sign to the left of Hard disk to display the relevant settings.

  5. Verify that the Turn off hard disk after value for Plugged in is greater than the value for On battery (the default value is 20 minutes).

  6. Choose the plus sign to the left of PCI Express, and do the same for Link State Power Management.

  7. Verify that the Link State Power Management settings are Off.

  8. Choose OK (or Apply if you changed any settings) to close the dialog box.

  9. In the Change settings for the plan pane, if you changed any settings, choose Save changes.

One of my WorkSpaces has a state of

The WorkSpaces service periodically sends status requests to a WorkSpace. A WorkSpace is marked when it fails to respond to these requests. Common causes for this problem are:

  • An application on the WorkSpace is blocking network ports, which prevents the WorkSpace from responding to the status request.

  • High CPU utilization is preventing the WorkSpace from responding to the status request in a timely manner.

  • The computer name of the WorkSpace has been changed. This prevents a secure channel from being established between WorkSpaces and the WorkSpace.

You can attempt to correct the situation using the following methods:

  • Reboot the WorkSpace from the WorkSpaces console.

  • Connect to the unhealthy WorkSpace using the following procedure, which should be used only for troubleshooting purposes:

    1. Connect to an operational WorkSpace in the same directory as the unhealthy WorkSpace.

    2. From the operational WorkSpace, use Remote Desktop Protocol (RDP) to connect to the unhealthy WorkSpace using the IP address of the unhealthy WorkSpace. Depending on the extent of the problem, you might not be able to connect to the unhealthy WorkSpace.

    3. On the unhealthy WorkSpace, confirm that the minimum port requirements are met.

  • Make sure the SkyLightWorkSpacesConfigService service can respond to health checks. To troubleshoot this issue, see My users receive the message "WorkSpace Status: Unhealthy. We were unable to connect you to your WorkSpace. Please try again in a few minutes.".

  • Rebuild the WorkSpace from the WorkSpaces console. Because rebuilding a WorkSpace can potentially cause a loss of data, this option should be used only if all other attempts to correct the problem have been unsuccessful.

My WorkSpace is unexpectedly crashing or rebooting

If your WorkSpace configured for PCoIP is repeatedly crashing or rebooting and your error logs or crash dumps are pointing to problems with or , or if you're receiving the following error messages, you might need to disable Web Access to the WorkSpace:

The kernel power manager has initiated a shutdown transition. Shutdown reason: Kernel APIThe computer has rebooted from a bugcheck.

Note

  • These troubleshooting steps are not applicable to WorkSpaces that are configured for WorkSpaces Streaming Protocol (WSP). They are applicable only to WorkSpaces that are configured for PCoIP.

  • You should disable Web Access only if you aren't allowing your users to use Web Access.

To disable Web Access to the WorkSpace, you must set a group policy and modify two registry settings. For information about using the Active Directory administration tools to work with Group Policy Objects, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide.

Step 1: Set a Group Policy to disable Web Access at the directory level

You must make these changes from a PCoIP WorkSpace instead of a domain controller because the STXHD Hosted Application Service must be present.

  1. Edit the Security Group used by WorkSpaces to allow RDP connections. For more information, see How do I connect to my WorkSpace using RDP?.

  2. Use RDP to connect to a WorkSpace. Make sure that you are using a user account that has permissions on the domain to create and modify GPOs. If you are using Simple AD for your WorkSpace directory, the username is . If you are using Microsoft AD, the administrator username is .

  3. Install the Active Directory Administration Tools (RSAT) to get the Group Policy Management Editor tool. To install these tools, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide.

    You can also install these tools by running the following Windows PowerShell command as an administrator:

  4. Open the Group Policy Management Editor (gpmc.msc) and locate the Group Policy Object (GPO) policy at the domain controller level of your directory.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, you must create and link the GPO under the domain container that has delegated privileges.

    When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates a organizational unit (OU) under the domain root. The name of this OU is based on the NetBIOS name that you entered when you created your directory. If you didn't specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of , the NetBIOS name is ).

    To create your GPO, instead of selecting Default Domain Policy, select the OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here.

    For more information about the OU, see What Gets Created in the AWS Directory Service Administration Guide.

  5. Choose Action, Edit.

  6. Navigate to the following setting:

    Computer Configuration\Policies\Windows Settings\Security Settings\System Services\STXHD Hosted Application Service

  7. In the STXHD Hosted Application Service Properties dialog box, on the Security Policy Setting tab, select the Define this policy setting check box.

  8. Under Select Service Startup Mode, select Disabled.

  9. Choose OK.

  10. Prevent the machine from rebooting until you have finished editing the registry (Step 2).

Step 2: Edit the Registry to disable Web Access

We recommend that you push out these registry changes through GPO.

  1. Set the following registry key value to 1 (enabled):

    KeyPath = HKEY_LOCAL_MACHINE\SOFTWARE\Amazon\WorkSpacesConfig\update-webaccess.ps1

    KeyName = RebootCount

    KeyType = DWORD

    KeyValue = 1

  2. Set the following registry key value to 4 (disabled):

    KeyPath = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spacedeskHookKmode

    KeyName = Start

    KeyType = DWORD

    KeyValue = 4

  3. Reboot the machine.

The same username has more than one WorkSpace, but the user can log in to only one of the WorkSpaces

If you delete a user in Active Directory (AD) without first deleting their WorkSpace and then you add the user back to Active Directory and create a new WorkSpace for that user, the same username will now have two WorkSpaces in the same directory. However, if the user tries to connect to their original WorkSpace, they will receive the following error:

"Unrecognized user. No WorkSpace found under your username. Contact your administrator to request one."

Additionally, searches for the username in the Amazon WorkSpaces console return only the new WorkSpace, even though both WorkSpaces still exist. (You can find the original WorkSpace by searching for the WorkSpace ID instead of the username.)

This behavior can also occur if you rename a user in Active Directory without first deleting their WorkSpace. If you then change their username back to the original username and create a new WorkSpace for the user, the same username will have two WorkSpaces in the directory.

This problem occurs because Active Directory uses the user's security identifier (SID), rather than the username, to uniquely identify the user. When a user is deleted and recreated in Active Directory, the user is assigned a new SID, even if their username remains the same. During searches for a username, the Amazon WorkSpaces console uses the SID to search Active Directory for matches. The Amazon WorkSpaces clients also use the SID to identify users when they are connecting to WorkSpaces.

To resolve this problem, do one of the following:

  • If this problem occurred because the user was deleted and recreated in Active Directory, you might be able to restore the original deleted user object if you have enabled the Recycle Bin feature in Active Directory. If you're able to restore the original user object, make sure the user can connect to their original WorkSpace. If they can, you can delete the new WorkSpace after manually backing up and transferring any user data from the new WorkSpace to the original WorkSpace (if needed).

  • If you can't restore the original user object, delete the user's original WorkSpace. The user should be able to connect to and use their new WorkSpace instead. Be sure to manually back up and transfer any user data from the original WorkSpace to the new WorkSpace.

    Warning

    Deleting a WorkSpace is a permanent action and cannot be undone. The WorkSpace user's data does not persist and is destroyed. For help with backing up user data, contact AWS Support.

I'm having trouble using Docker with Amazon WorkSpaces

Windows WorkSpaces

Nested virtualization (including the use of Docker) is not supported on Windows WorkSpaces. For more information, see the Docker documentation.

Linux WorkSpaces

To use Docker on Linux WorkSpaces, make sure that the CIDR blocks used by Docker don't overlap with the CIDR blocks used in the two elastic network interfaces (ENIs) associated with the WorkSpace. If you encounter problems with using Docker on Linux WorkSpaces, contact Docker for assistance.

I receive ThrottlingException errors to some of my API calls

The default allowed rate for WorkSpaces API calls is a constant rate of two API calls per second, with a maximum allowed "burst" rate of five API calls per second. The following table shows how the burst rate limit works for API requests.

SecondNumber of requests sentNet requests allowedDetails

1

0

5

During the first second (second 1), five requests are allowed, up to the burst rate maximum of five calls per second.

2

2

5

Because two or fewer calls were issued in second 1, the full burst capacity of five calls is still available.

3

5

5

Because only two calls were issued in second 2, the full burst capacity of five calls is still available.

4

2

2

Because the full burst capacity was used in second 3, only the constant rate of two calls per second is available.

5

3

2

Because there is no remaining burst capacity, only two calls are allowed at this time. This means that one of the three API calls is throttled. The one throttled call will respond after a short delay.

6

0

1

Because one of the calls from second 5 is being retried in second 6, there is capacity for only one additional call in second 6 because of the constant rate limit of two calls per second.

7

0

3

Now that there are no longer any throttled API calls in the queue, the rate limit continues to increase, up to the burst rate limit of five calls.

8

0

5

Because no calls were issued in second 7, the maximum number of requests is allowed.

9

0

5

Even though no calls were issued in second 8, the rate limit does not increase above five.

My WorkSpace keeps disconnecting when I let it run in the background

For Mac users, check to see if the Power Nap feature is on. If it is on, turn it off. To turn Power Nap off, open your terminal and run the following command:

Sours: https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-troubleshooting.html
  1. Shawnee tribe art
  2. Ford fusion hybrid safety rating
  3. Halo mega construx base
  4. Analyzing rt pcr data
  5. Color by number books target

Using Amazon CloudWatch to Monitor and Log Your Amazon WorkSpaces Deployment

Use these best practices to monitor the health and connection status of individual Amazon WorkSpaces and deployments with Amazon CloudWatch

Key Takeaways

  • Organizations are increasingly using Amazon WorkSpaces to empower remote workers, but they must be able to monitor the performance and security of their WorkSpaces. 
  • Amazon CloudWatch lets organizations retrieve, monitor, and analyze WorkSpaces data and insights. 
  • By using CloudWatch for individual WorkSpaces, you can enjoy seamless access to data and use this information to uncover ways to improve AWS app and system performance and resource utilization. 
  • Tracking the right WorkSpaces metrics and events with CloudWatch and CloudWatch Events lets you verify the performance and security of individual WorkSpaces. 

Organizations around the world are using Amazon WorkSpaces to quickly provision Linux and Windows desktops so their teams can work remotely. But in order to get the most value out of your WorkSpaces, you need to be able to log performance and monitor security threats. Amazon CloudWatch is a great way to keep your teams on track and working in a secure environment.

What is Amazon CloudWatch?

CloudWatch is a monitoring and observability service that provides data and insights to track application usage, system-wide performance changes, resource utilization, and operational health. It retrieves a variety of data, including:

CloudWatch provides a unified view of resources, applications, and services that run on Amazon Web Services (AWS) and on-premises servers. It lets you detect anomalous behavior in these server environments, create alarms, and visualize logs and metrics. Plus, CloudWatch allows you to troubleshoot issues and identify ways to keep your applications running at peak levels.

3 benefits of monitoring and logging WorkSpaces with CloudWatch

There are many reasons why organizations use CloudWatch to monitor and log WorkSpaces. These are three of the most important:

1. Seamless access to data 

CloudWatch lets you collect, access, and correlate data from across your AWS resources, apps, and services on a single platform. That way, CloudWatch provides system-wide visibility to help you break down data silos and quickly resolve issues.

2. Simple, effective data monitoring 

CloudWatch simplifies data monitoring across your AWS cloud environment. It integrates with more than 70 AWS services and automatically publishes detailed and custom metrics with up to one-second granularity. That way, you can conduct a deep dive into your logs for additional context. You can even use the CloudWatch Agent or API to monitor on-premises resources.

3. Enhanced operational performance and resource use

CloudWatch lets you set alarms and automate actions based on predefined thresholds and machine learning algorithms that identify anomalous behaviors in your metrics. You can use these to automatically scale cloud instances, trigger workflows with various AWS services, and more. The result: CloudWatch helps you optimize the operational performance and resource use associated with your AWS apps and services. 

How to conduct monitoring and logging of individual WorkSpaces with CloudWatch

CloudWatch makes it easy to monitor and log the health and connection status of individual WorkSpaces. Here’s what you need to do:

1. Determine which metrics to track

CloudWatch provides metrics per WorkSpace or aggregated for all WorkSpaces in an organization within a given directory. These metrics are viewed via the AWS Management Console, CloudWatch APIs, accessed via CloudWatch APIs, and monitored via CloudWatch alarms and third-party tools.  

Initially, the following CloudWatch metrics are available free of charge:

  • Available: WorkSpaces that respond to a status check 
  • Unhealthy: WorkSpaces that don’t respond to a status check
  • ConnectionAttempt: Number of connection attempts made to a WorkSpace
  • ConnectionSuccess: Number of successful connection attempts
  • ConnectionFailure: Number of failed connection attempts. 
  • SessionLaunchTime: Time required to initiate a session (measured by the WorkSpaces client).
  • InSessionLatency: Total time between the WorkSpaces client and WorkSpaces (measured and reported by the client).
  • SessionDisconnect: Number of user-initiated and automatically closed sessions
  • Stopped: Number of WorkSpaces unavailable
  • Maintenance: Number of WorkSpaces under maintenance

To establish CloudWatch metrics, activate access on port 443 on the AMAZON subset in the us-east-1 Region. Once you have CloudWatch metrics in place, you can filter them by DirectoryId or WorkspaceId.

2. Submit events to Amazon CloudWatch Events

Monitoring events from CloudWatch Events lets you view, search, download, archive, analyze, and respond to WorkSpace logins. With it, you can:

  • Store or archive WorkSpaces login events
  • Analyze event logs to identify patterns and take action based on those patterns as needed 
  • Use a WAN IP address to determine where users are logged in from
  • Create and implement policies to ensure only authorized users can access WorkSpace files or data based on the type of CloudWatch Event 
  • Evaluate login data in near-real-time
  • Automate actions via AWS Lambda

WorkSpaces events are represented as JSON objects. To establish a CloudWatch rule to handle WorkSpaces events, you should:

     1. Open the CloudWatch console
     2. Select Events in the navigation pane
     3. Choose Create Rule
     4. Select Event Source
     5. Choose Event Pattern
     6. Choose Build event pattern to match events by Service
     7. Choose WorkSpaces as the Service Name
     8. Choose WorkSpaces Access as the Event Type
     9. Choose Add Target and select the service that will respond when a WorkSpaces event is detected and provide information required by this service
     10. Choose Configure Details and enter a name and description for Rule Definition
     11. Choose Create Rule

WorkSpaces client applications send WorkSpaces Access events to CloudWatch Events any time a user successfully logs in to a WorkSpace.

3. Log WorkSpaces API Calls

Along with using CloudWatch, you can integrate the WorkSpaces API with AWS CloudTrail to capture API calls for WorkSpaces as events. This lets you capture calls from the WorkSpaces console and code calls to the WorkSpaces API operations. 

To establish an ongoing record of events in WorkSpaces, create a trail. A trail lets CloudTrail log WorkSpaces events and deliver the associated log files to a designated Amazon S3 bucket. You can also configure other AWS services to further analyze and act on event data collected in CloudTrail logs. 

You can create a trail by specifying the settings for delivery of WorkSpaces events log data to the Amazon S3 bucket of your choice. By creating a trail, you can enable continuous delivery of WorkSpaces events and other CloudTrail events to an Amazon S3 bucket. Then, you can use this information to determine the request that was made to WorkSpaces, the IP address from which the request was made, and other details.

Take the guesswork out of monitoring and logging Amazon WorkSpaces

WorkSpaces empowers your organization to support remote workers and ensure they can use a best-in-class desktop-as-a-service (DaaS) to stay on track. How you monitor and log those deployments can have far-flung effects on your organization and its workforce. 

If you use CloudWatch for individual WorkSpace monitoring and logging, you’re well-equipped to help your employees get the most value out of their WorkSpaces. But, in order to fully utilize CloudWatch for your WorkSpaces, you may want to work with an Amazon Managed Service Partner like CloudHesive. 

CloudHesive can help you launch, manage, and secure WorkSpaces. With our support, you can instantly provision Linux and Windows desktops to thousands of workers around the globe in minutes. Contact us today to learn how we can help you monitor and log your WorkSpaces. 

Sours: https://www.cloudhesive.com/blog-posts/monitoring-and-logging-for-amazon-workspaces-deployment/
How to Amazon Workspaces Tutorial - Step by Step [AskJoyB]

Troubleshooting

Common administration and client issues, such as error messages like "Your device is not able to connect to the WorkSpaces Registration service" or "Can't connect to a WorkSpace with an interactive logon banner", can be found on the Client and Admin Troubleshooting pages in the Amazon WorkSpaces Administration Guide.

AD Connector Cannot Connect to Active Directory

For AD Connector to connect to the on-premises directory, the firewall for the on-premises network must have certain ports open to the CIDRs for both subnets in the VPC. See Scenario 1: Using AD Connector to Proxy Authentication to On-Premises Active Directory service in this document. To test if these conditions are met, perform the following steps:

To test the connection:

  1. Launch a Windows instance in the VPC and connect to it over RDP. The remaining steps are performed on the VPC instance.

  2. Download and unzip the DirectoryServicePortTest test application. The source code and Microsoft Visual Studio project files are included to modify the test application, if desired.

  3. From a Windows command prompt, run the test application with the following options:

  • — The fully qualified domain name, used to test the forest and domain functional levels. If the domain name is excluded, the functional levels won't be tested.

  • — The IP address of a domain controller in the on-premises domain. The ports are tested against this IP address. If the IP address is excluded, the ports won't be tested.

This test determines if the necessary ports are open from the VPC to the domain. The test app also verifies the minimum forest and domain functional levels.

Troubleshooting a WorkSpace Custom Image Creation Error

If a Windows or Amazon Linux WorkSpace has been launched and customized, a custom image can be created from that WorkSpace. A custom image contains the operating system, application software, and settings for the WorkSpace.

Review the requirements to create a Windows custom image or the requirements to create an Amazon Linux custom image. Image creation requires that all prerequisites are met before image creation can start.

To confirm that the Windows WorkSpace meets the requirements for image creation, AWS recommends running the Image Checker. The Image Checker performs a series of tests on the WorkSpace when an image is created, and provides guidance on how to resolve any issues it finds. For detailed information read installing and configuring the image checker.

After the WorkSpace passes all tests, a Validation Successful message appears. You can now create a custom bundle. Otherwise, resolve any issues that cause test failures and warnings, and repeat the process of running the Image Checker until the WorkSpace passes all tests. All failures and warnings must be resolved before an image can be created.

For more information, follow the tips for resolving issues detected by the Image Checker.

Troubleshooting a Windows WorkSpace Marked as Unhealthy

The Amazon WorkSpaces service periodically checks the health of a WorkSpace by sending it a status request. The WorkSpace is marked as if a response isn’t received from the WorkSpace in a timely manner. Common causes for this problem are:

  • An application on the WorkSpace is blocking network connection between the Amazon WorkSpaces service and the WorkSpace.

  • High CPU utilization on the WorkSpace.

  • The computer name of the WorkSpace is changed.

  • The agent or service that responds to the Amazon WorkSpaces service isn't in running state.

The following troubleshooting steps can return the WorkSpace to a healthy state:

  • If the WorkSpace is unreachable by a different protocol, rebuild the WorkSpace from the Amazon WorkSpaces console.

  • If a WorkSpaces connection cannot be established, verify the following:

Verify CPU Utilization

  • Open Task Manager to determine if the WorkSpace is experiencing high CPU utilization. If it is, try any of the following troubleshooting steps to resolve the issue:

  1. Stop any service that is consuming a high amount of CPU.

  2. Resize the WorkSpace to a compute type greater than what is currently used .

  3. Reboot the WorkSpace .

Verify the Computer Name of the WorkSpace

  • If the computer name of the WorkSpacewas changed, change it back to the original name:

  1. Open the Amazon WorkSpaces console (signin required), and then expand the WorkSpace to show details.

  2. Copy the Computer Name.

  3. Connect to the WorkSpace using RDP.

    Open a command prompt, and then enter hostname to view the current computer name.

    • If the name matches the Computer Name from step 2, skip to the next troubleshooting section.

    • If the names don’t match, enter  to open system properties, and then follow the remaining steps in this section.

  4. Choose Change, and then paste the Computer Name from step 2.

  5. Enter the domain user credentials if prompted.

Confirm that is in Running State

From Services, verify if the WorkSpace service  is in running state. If it’s not, start the service.

Verify Firewall Rules

  • Confirm that the Windows Firewall and any third-party firewall that is running have rules to allow the following ports:

    • Inbound TCP on port 4172: Establish the streaming connection.

    • Inbound UDP on port 4172: Stream user input.

    • Inbound TCP on port 8200: Manage and configure the WorkSpace.

    • Outbound UDP on port 55002: PCoIP streaming.

If the firewall uses stateless filtering, then open ephemeral ports 49152-65535 to allow return communication.

If the firewall uses stateful filtering, then ephemeral port 55002 is already open.

Collecting a WorkSpaces Support Log Bundle for Debugging

When troubleshooting WorkSpaces issues, it will be necessary to gather the log bundle from the affected WorkSpace and the host where the WorkSpaces client is installed. There are two fundamental categories of logs:

  • Server-side logs — The WorkSpace is the server in this scenario, so these are logs that live on the WorkSpace itself.

  • Client-side logs — These will be on the device that the end user is using to connect to the WorkSpace.

    • Note that only Windows and macOS clients write logs locally.

    • Zero clients and iOS clients do not log.

    • Android logs are encrypted on the local storage and uploaded automatically to the WorkSpaces client engineering team. Only that team can review the logs for Android devices.

All of the PCoIP components write their log files into one of two folders:

  • Primary location:

  • Archive location:

Sometimes when working with AWS Support on a complex issue, it will be necessary to put the PCoIP Server agent into verbose logging mode. To enable this:

  1. Open the following registry key: .

  2. In the key create the following 32 bit DWORD: .

  3. Set the value for to “” (Dec or Hex).

For reference, these are the log thresholds which can be defined in this DWORD.

  • 0 — (CRITICAL)

  • 1 — (ERROR)

  • 2 — (INFO)

  • 3 — (Debug)

If the DWORD doesn’t exist, the log level is 2 by default. It is recommended to restore a value of 2 to the DWORD after it no longer need verbose logs, as they are much larger and will consume disk space unnecessarily.

The WorkSpaces web access client uses the STXHD service. The logs for WebAccess is stored at .

These logs come from the WorkSpaces client that the user connects with, so the logs are on the end user’s computer. The log file locations for Windows and Mac are:

  • Windows — ""

  • macOS

  • Linux

To help troubleshoot issues that the users might experience, enable advanced logging can be used on any Amazon WorkSpaces client. Advanced logging is enabled for every subsequent client session until it is disabled.

  1. Before connecting to the WorkSpace, the end user should enable advanced logging for their WorkSpaces client.

  2. The end user should then connect as normal and use their WorkSpace, and attempt to reproduce the issue.

  3. Advanced logging generates log files that contain diagnostic information and debugging-level details, including verbose performance data.

This setting persists until explicitly turned off. Once the user has been able to reproduce the issue with verbose logging on, this setting should be disabled, as it generates large log files.

The script is very helpful for quickly gathering a server-side log bundle for AWS Premium Support. The script can be requested from AWS Premium Support by requesting it in a support case.

  1. Connect to the WorkSpace using the client or using Remote Desktop Protocol (RDP)

  2. Start an administrative command prompt (run as administrator).

  3. Launch the script from the command prompt with the following command:

  4. The script will create a log bundle on the user's desktop.

The script creates a zip file with the following folders:

  • — Contains the files from Program Files, Program Files (x86), ProgramData, and Windows related to Skylight, EC2Config, Teradici, Event viewer, and Windows logs (Panther and others).

  • — Contains XML files that can be imported in PowerShell by using for interactive filtering. See Import-Clixml.

  • — Detailed logs for each check that is performed.

  • — Logs about the script execution (not relevant to the investigation, but useful to debug what the script does).

  • — Temporary folder (it should be empty).

  • — Packet capture done during the log collection.

How to Check Latency to Closest AWS Region

The Connection Health Check website quickly checks whether all of the required services that use Amazon WorkSpaces can be reached. It also does a performance check to each AWS Region where Amazon WorkSpaces is available, and lets users know which one will be the fastest.

Sours: https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/troubleshooting.html

Workspace logs aws

Amazon WorkSpaces Logging

In an Amazon WorkSpaces environment, there are many log sources that can be captured to troubleshoot issues and monitor the overall WorkSpaces performance.

Amazon WorkSpaces Client 3.x

On each Amazon WorkSpaces client, the client logs are located in the following directories:

  • Windows —

  • macOS —

  • Linux (Ubuntu 18.04 or later) —

There are many instances where diagnostic or debugging details may be needed for a WorkSpaces session from the client side. Advanced client logs can be enabled as well by adding an ““ to the workspaces executable file. For example:

Amazon WorkSpaces Service

The Amazon WorkSpaces service is integrated with Amazon CloudWatch Metrics, CloudWatch Events, and AWS CloudTrail. This integration allows of the performance data and API calls to be logged into the central AWS service.

When managing an Amazon WorkSpaces environment, it is important to constantly monitor certain CloudWatch metrics to determine the overall environment health status.

Metrics

While there are other CloudWatch metrics available for Amazon WorkSpaces (see Monitor Your WorkSpaces Using CloudWatch Metrics), the three following metrics will assist in maintaining the WorkSpace instance availability:

  • Unhealthy — The number of WorkSpaces that returned an unhealthy status.

  • SessionLaunchTime — The amount of time it takes to initiate a WorkSpaces session.

  • InSessionLatency — The round trip time between the WorkSpaces client and the WorkSpace.

For more information on WorkSpaces logging options, see Logging Amazon WorkSpaces API Calls by Using CloudTrail. The additional CloudWatch Events will assist with capturing the client-side IP of the user session, when the user connected to the WorkSpaces session, and the what endpoint was used during the connection. All of these details assist with isolating or pinpointing user reported issues during troubleshooting sessions.

Note

Some CloudWatch Metrics are available only with AWS Managed AD.

Sours: https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/amazon-workspaces-logging.html
Amazon WorkSpaces Animated Explainer

Follow Me

I recently ran into a situation where I was unable to connect to an Amazon WorkSpace.  Though everything looked great on the AWS side in that no problems were displayed within the WorkSpaces console, the Get-WKSWorkspace PowerShell command, and the CloudWatch WorkSpace dashboard, my connection would launch, present me with a black screen, and then disappear.  Granted, my first task was to reboot the WorkSpace but as you may have guessed, my connection issue remained.  So, I decided to use this opportunity to investigate what resources are available to us as we troubleshoot WorkSpace connection issues from the end-user client/device perspective before breaking down and simply rebuilding the WorkSpace.

  1. What Color is the WorkSpaces Network Icon?

The easiest troubleshooting step may also the most overlooked.  When you launch the WorkSpaces client, notice the network icon in the top right-hand corner of the window; the WorkSpaces client performs five “tests” when launched:

  • Is the client device connected to the network?
  • Is the client device connected to the internet?
  • Can HTTPS connectivity be established to the AWS WorkSpaces service?
  • Can the client connect to the WorkSpaces services using TCP Port 4172?
  • Can the client connect to the WorkSpaces services using UDP Port 4172?

If all tested connections are active and available, then the network icon will be green.  If any of the network tests fail, the icon will be red as shown below.  This provides you with a method to quickly identify the state of your connectivity to the AWS WorkSpaces service.

In my recent case and much to my surprise, my WorkSpaces network icon was red and upon clicking the network icon for more information, I saw that though my laptop was on the network, had internet connectivity, and could even communicate to the WorkSpaces service using HTTPS, I could NOT connect to WorkSpaces over UDP Port 4172

1-WorkSpacesClientNetworkIcon

To save us some time, I launched the WorkSpaces client on other computers and had no network issues.  Furthermore, the UDP connectivity test passed when I connected my laptop to a wired ethernet connection.  The issue manifested itself only on a specific laptop when it was connected to my wireless network.  Turns out a recent update to the AV/Security Suite application on my laptop was the reason behind the issue.

Tip #1Check the WorkSpaces network icon to ensure the required network connectivity to AWS WorkSpaces is established.

  1. Enable WorkSpaces Client Logging

Well, I can assure you that I thought I had my problem fixed!  My WorkSpace was looking good from an AWS console perspective and now my WorkSpaces client network icon was green!  I had an available WorkSpace and network connectivity to it, yet I was still unable to connect?!?!  What’s going on now?

To get more insight into what is going on with the WorkSpaces client, I decided to enable advanced logging.  It’s easy enough to do, simply open a command prompt, and launch the WorkSpaces client with the -l3 flag (workspaces.exe -l3).  You’ll find the logs saved in the %LOCALAPPDATA%\Amazon Web Services\Amazon WorkSpaces\logs directory.

After enabling advanced logging and attempting to launch my WorkSpace, the surprises continued.  I found many entries stating that the connection changed to “……CONGESTED with PCOIP_DISCONNECT_CAUSE_NONE”.  How can a status change with no cause?

2-DisconnectCauseNone

Well, if you’ve used or had to troubleshoot PCOIP connectivity issues in the past, you may already know the most likely reason we’re seeing this is that the session was terminated because of a network failure or interruption.  As I did in troubleshooting the earlier UDP connection problem, I tried connecting to my WorkSpace from multiple clients and they all failed to connect with the same reason, DISCONNECT_CAUSE_NONE.  Even though my WorkSpace reads AVAILABLE from the AWS console and each WorkSpaces client I tested connectivity from pass the network checks, I’m unable to connect.

No matter what the Status of my WorkSpace displays within the AWS console, I now believe the problem resides there…

Tip #2:  To gain deep insight into what the WorkSpaces client is doing, enable advanced logging.

  1. Can I Test Connectivity to My WorkSpace using RDP?

Though the WorkSpaces client does not support RDP connectivity to a WorkSpace, you can enable RDP access to support troubleshooting efforts via the security group attached to the WorkSpaces network interface as shown on the screenshot below.

3-SecGroup

SIDE NOTE: I know….I know and I completely agree!  0.0.0.0/0 should not be used as the Source address.  Even if you plan to use this rule to provide temporary access, you may forget to come back and remove the entry from the Inbound rules list.  Instead of 0.0.0.0/0, use the IP address of a bastion host that exists within your AWS environment.

With the inbound rule allowing RDP in place, attempt to connect to the WorkSpace using RDP from an allowed source.  When I connected with RDP, the problem with my WorkSpace was quite clear.

4-Problem

Looks like I was foiled by an update to my WorkSpace as well but at least the resolution was straightforward.

Tip #3:  If you cannot connect to your WorkSpace using PCOIP, you can enable RDP access for troubleshooting.

Wrapping Up….

If everything in your WorkSpaces environment looks good but you are unable to connect, we do have methods available to us to troubleshoot connectivity issues from the end-user client.  Remember, don’t overlook the WorkSpaces client network icon…give it a quick glance to see if it is green or red.  We also have the capability to gain deep insight into a given connectivity issue by launching the WorkSpace client via the CLI with the -l3 flag to enable advanced logging.  In addition to the network icon and advanced logging, AWS has provided a means to enable and allow access to a WorkSpace using RDP as troubleshooting tool.

If all else fails, you can always try rebuilding the WorkSpace…..  😊

Sours: https://virtualbonzo.com/2020/07/30/troubleshooting-amazon-workspace-connectivity-from-an-end-user-device/

You will also like:

Finding the Log Files

If you are running into packaging issues, check the log files.

The Amazon Studio log file contains every error that occurred when you packaged your application.

The Amazon Admin Player log file shows the files and registry keys captured and filtered to the package and any errors.

To see the Amazon WorkSpaces Application Manager Studio log file

  1. On the packaging instance, open the folder.

  2. Open the file.

To see the Amazon Admin Player log file

  1. In the Amazon WAM Admin Player, choose File and Options.

  2. In the Options dialog box, on the Log tab, choose View Log.

Sours: https://docs.aws.amazon.com/wam/latest/adminguide/application_log_files.html


181 182 183 184 185