Amazon WorkSpaces
Administration Guide

Troubleshooting Amazon WorkSpaces Issues

The following information can help you troubleshoot issues with your WorkSpaces.

Enabling Advanced Logging

You can enable advanced logging on any WorkSpaces client to help troubleshoot issues that your users may experience when they use the client. To enable advanced logging, open the WorkSpaces client, choose the gear icon in the upper right corner of the client application, choose Advanced Settings, select the Enable Advanced Logging check box, and then choose Save. Advanced logging is enabled for every subsequent client session until you disable it.

Advanced logging generates log files that contain diagnostic information and debugging-level details, including verbose performance data. These files are automatically uploaded to a database in AWS.

Note

To have AWS review the log files that are generated by advanced logging and to receive technical support for issues with your WorkSpaces clients, contact AWS Support. For more information, see AWS Support Center.

Troubleshooting for Specific Issues

The following information can help you troubleshoot specific issues with your WorkSpaces.

I can't create an Amazon Linux WorkSpace because there are invalid characters in the user name

For Amazon Linux WorkSpaces, user names can contain only 20 letters, spaces, and numbers representable in UTF-8, plus the following special characters:

_.-#

Additionally, you can't use a dash symbol (-) as the first character of the user name.

Note

These limitations do not apply to Windows WorkSpaces. Windows WorkSpaces support the @ and - symbols for all characters in the user name.

Launching WorkSpaces in my connected directory often fails

Verify that the two DNS servers or domain controllers in your on-premises directory are accessible from each of the subnets that you specified when you connected to your directory. You can verify this connectivity by launching an EC2 instance in each subnet and joining the instance to your directory, using the IP addresses of the two DNS servers.

Launching WorkSpaces fails with an internal error

Check whether your subnets are configured to automatically assign IPv6 addresses to instances launched in the subnet. To check this setting, open the Amazon VPC console, select your subnet, and choose Subnet Actions, Modify auto-assign IP settings. If this setting is enabled, you cannot launch WorkSpaces using the Performance or Graphics bundles. Instead, disable this setting and specify IPv6 addresses manually when you launch your instances.

My users can't connect to a Windows WorkSpace with an interactive logon banner

Implementing an interactive logon message to display a logon banner prevents users from being able to access their Windows WorkSpaces. The interactive logon message Group Policy setting is not currently supported by Amazon WorkSpaces.

My users are having issues when they try to log on to BYOL WorkSpaces from WorkSpaces Web Access

BYOL WorkSpaces rely on a specific logon screen configuration to enable users to successfully log on from their Web Access client. To enable Web Access users to log on to their BYOL WorkSpaces, you must configure a Group Policy setting and a Local Security Policy setting. If these two settings are not correctly configured, users may experience long logon times or black screens when they try to log on to their BYOL WorkSpaces. To configure the settings, follow these steps.

To enable the WorkSpaces logon agent to switch users

In most cases, when a user attempts to log on to a WorkSpace, the user name field is prepopulated with the name of that user. However, if an administrator establishes an RDP connection to the WorkSpace to perform maintenance tasks, the user name field is populated with the name of the administrator instead. To resolve this issue, disable the Hide entry points for Fast User Switching Group Policy setting. When you do so, the WorkSpaces logon agent can use the Switch User button to populate the user name field with the correct name.

  1. Open Local Group Policy Editor by opening the command prompt as an administrator, typing gpedit.msc, and then pressing ENTER.

  2. In the console tree, choose Local Computer Policy, Computer Configuration, Administrative Templates, System, and Logon.

  3. Open the Hide entry points for Fast User Switching setting.

  4. In the Hide entry points for Fast User Switching dialog box, choose Disabled, and then choose OK.

To configure Local Security Policy Editor to hide the last logged on user name

By default, the list of last logged on users displays, rather than the Switch User button. Depending on the configuration of the WorkSpace, the list may not display the Other User tile. When this occurs, if the prepopulated user name isn't correct, the WorkSpaces logon agent can't populate the field with the correct name. To resolve this issue, enable the Interactive logon: Don't display last signed-in Local Security Policy setting.

  1. Open Local Security Policy Editor by opening the command prompt as an administrator, typing secpol.msc, and then pressing ENTER.

  2. In the console tree, choose Security Settings, Local Policies, and Security Options.

  3. Open one of the following settings:

    • For Windows 7 — Interactive logon: Do not display last user name

    • For Windows 10 — Interactive logon: Don't display last signed-in

  4. In the Properties dialog box for the setting, choose Enabled, and then choose OK.

No WorkSpaces in my directory can connect to the internet

WorkSpaces cannot communicate with the internet by default. You must explicitly provide internet access. For more information, see Provide Internet Access from Your WorkSpace.

I receive a "DNS unavailable" error when I try to connect to my on-premises directory

You receive an error message similar to the following when connecting to your on-premises directory:

DNS unavailable (TCP port 53) for IP: dns-ip-address

AD Connector must be able to communicate with your on-premises DNS servers via TCP and UDP over port 53. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over this port.

I receive a "Connectivity issues detected" error when I try to connect to my on-premises directory

You receive an error message similar to the following when connecting to your on-premises directory:

Connectivity issues detected: LDAP unavailable (TCP port 389) for IP: ip-address
Kerberos/authentication unavailable (TCP port 88) for IP: ip-address
Please ensure that the listed ports are available and retry the operation.

AD Connector must be able to communicate with your on-premises domain controllers via TCP and UDP over the following ports. Verify that your security groups and on-premises firewalls allow TCP and UDP communication over these ports.

  • 88 (Kerberos)

  • 389 (LDAP)

I receive an "SRV record" error when I try to connect to my on-premises directory

You receive an error message similar to one or more of the following when connecting to your on-premises directory:

SRV record for LDAP does not exist for IP: dns-ip-address

SRV record for Kerberos does not exist for IP: dns-ip-address

AD Connector needs to obtain the _ldap._tcp.dns-domain-name and _kerberos._tcp.dns-domain-name SRV records when connecting to your directory. You will get this error if the service cannot obtain these records from the DNS servers that you specified when connecting to your directory. Make sure that your DNS servers contains these SRV records. For more information, see SRV Resource Records on Microsoft TechNet.

My Windows WorkSpace goes to sleep when it's left idle

To resolve this issue, connect to the WorkSpace and change the power plan to High performance by using the following procedure:

  1. From the WorkSpace, open Control Panel, then choose Hardware and Sound.

  2. Under Power Options, choose Choose a power plan.

  3. In the Choose or customize a power plan pane, choose the High performance power plan. If this plan isn't visible, choose the arrow to the right of Show additional plans to display it.

If the preceding steps do not solve the issue, do the following:

  1. In the Choose or customize a power plan pane, choose the Change plan settings link to the right of the High performance power plan, then choose the Change advanced power settings link.

  2. In the Power Options dialog box, in the list of settings, choose the plus sign to the left of Hard disk to display the relevant settings.

  3. Verify that the Turn off hard disk after value for Plugged in is greater than the value for On battery (the default value is 20 minutes).

  4. Choose the plus sign to the left of PCI Express, and do the same for Link State Power Management.

  5. Verify that the Link State Power Management settings are Off.

  6. Choose OK (or Apply if you changed any settings) to close the dialog box.

  7. In the Change settings for the plan pane, if you changed any settings, choose Save changes.

One of my WorkSpaces has a state of "Unhealthy"

The Amazon WorkSpaces service periodically sends status requests to a WorkSpace. A WorkSpace is marked Unhealthy when it fails to respond to these requests. Common causes for this problem are:

  • An application on the WorkSpace is blocking network ports which prevents the WorkSpace from responding to the status request.

  • High CPU utilization is preventing the WorkSpace from responding to the status request in a timely manner.

  • The computer name of the WorkSpace has been changed. This prevents a secure channel from being established between Amazon WorkSpaces and the WorkSpace.

You can attempt to correct the situation using the following methods:

  • Reboot the WorkSpace from the Amazon WorkSpaces console.

  • Connect to the unhealthy WorkSpace using the following procedure, which should be used only for troubleshooting purposes:

    1. Connect to an operational WorkSpace in the same directory as the unhealthy WorkSpace.

    2. From the operational WorkSpace, use Remote Desktop Protocol (RDP) to connect to the unhealthy WorkSpace using the IP address of the unhealthy WorkSpace. Depending on the extent of the problem, you might not be able to connect to the unhealthy WorkSpace.

    3. On the unhealthy WorkSpace, confirm that the minimum port requirements are met.

  • Rebuild the WorkSpace from the Amazon WorkSpaces console. Because rebuilding a WorkSpace can potentially cause a loss of data, this option should only be used if all other attempts to correct the problem have been unsuccessful.