Amazon WorkSpaces
User Guide

Troubleshooting Amazon WorkSpaces Client Issues

The following are common issues that you might have with your WorkSpaces client.

My WorkSpaces client gives me a network error, but I am able to use other network enabled apps on my device

The WorkSpaces client applications rely on access to resources in the AWS cloud and require a connection that provides at least 1 Mbps download bandwidth. If your device has an intermittent connection to the network, the WorkSpaces client application may report an issue with the network.

Amazon WorkSpaces enforces the use of digital certificates issued by Amazon Trust Services as of May 2018. Amazon Trust Services is already a trusted Root CA on the operating systems supported by Amazon WorkSpaces. If the Root CA list for your operating system is not up-to-date, your device cannot connect to WorkSpaces and the client gives a network error.

To recognize connection issues due to certificate failures

  • PCoIP zero clients — The following error message is displayed:

    Failed to connect. The server provided a certificate that is invalid. See below for details:
    - The supplied certificate is invalid due to timestamp
    - The supplied certificate is not rooted in the devices local certificate store
  • Other clients — The health checks fail with a red warning triangle for Internet.

Windows Client Application

Use one of the following solutions for certificate failures.

Solution 1: Update the client application

Download and install the latest Windows client application from Amazon WorkSpaces Client Downloads. During installation, the client application ensures that your operating system trusts certificates issued by Amazon Trust Services.

Solution 2: Add Amazon Trust Services to the local Root CA list

  1. Open

  2. Download the Starfield certificate in DER format (2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92).

  3. Open the Microsoft Management Console. (From a Command Prompt window, run mmc.)

  4. Choose File, Add/Remove Snap-in, Certificates, Add.

  5. On the Certificates snap-in page, select Computer account and choose Next. Keep the default, Local computer. Choose Finish. Choose OK.

  6. Expand Certificates (Local Computer) and select Trusted Root Certification Authorities. Choose Action, All Tasks, Import.

  7. Follow the wizard to import the certificate that you downloaded.

  8. Exit and restart the WorkSpaces client application.

Solution 3: Deploy Amazon Trust Services as a trusted CA using Group Policy

Add the Starfield certificate to the trusted Root CAs for the domain using Group Policy. For more information, see Use Policy to Distribute Certificates.

PCoIP Zero Clients

To connect directly to a WorkSpace using firmware version 6.0 or later, download and install the certificate issued by Amazon Trust Services.

To add Amazon Trust Services as a trusted Root CA

  1. Open

  2. Download the certificate under Starfield Certificate Chain with the thumpprint 14 65 FA 20 53 97 B8 76 FA A6 F0 A9 95 8E 55 90 E4 0F CC 7F AA 4F B7 C2 C8 67 75 21 FB 5F B6 58.

  3. Upload the certificate to the zero client. For more information, see Uploading Certificates in the Teradici documentation.

Other Client Applications

Add the Starfield certificate (2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92) from Amazon Trust Services. For more information about how to add a Root CA, see the following documentation:

It sometimes takes several minutes to log in to my WorkSpace

Group Policy settings set by your system administrator can cause a delay on login after your WorkSpace has been launched or rebooted. This delay occurs while the Group Policy settings are being applied to the WorkSpace and is normal.

Sometimes I am logged off of my WorkSpace, even though I closed the session, but did not log off

Your system administrator applied a new or updated Group Policy setting to your WorkSpace that requires a logoff of a disconnected session.

I can't connect to the Internet from my WorkSpace

WorkSpaces cannot communicate with the Internet by default. Your administrator must explicitly provide Internet access.

I installed a third-party security software package and now I can't connect to my WorkSpace

You can install any type of security or firewall software on your WorkSpace, but Amazon WorkSpaces requires that certain inbound and outbound ports are open on the WorkSpace. If the security or firewall software that you install blocks these ports, the WorkSpace might not function correctly or might become unreachable. For more information, see Port Requirements for Amazon WorkSpaces in the Amazon WorkSpaces Administration Guide.

To restore your WorkSpace, ask your administrator to rebuild your WorkSpace. You will have to re-install the software and properly configure port access for your WorkSpace.

I am getting a 'network connection is slow' warning when connected to my WorkSpace

If the roundtrip time from your client to your WorkSpace is longer than 100ms, you can still use your WorkSpace, but this may result in a poor experience. A slow roundtrip time can be caused by many factors, but the following are the most common:

  • You are too far from the AWS region that your WorkSpace resides in. For the best WorkSpace experience, you should be within 2000 miles of the AWS region that your WorkSpace is in.

  • Your network connection is inconsistent or slow. For the best experience, your network connection should provide at least 300 kbps, with capability to provide over 1 Mbps when viewing video or using graphics intensive applications on your WorkSpace.

I got an invalid certificate error on the client application. What does that mean?

The WorkSpaces client application validates the identity of the WorkSpaces service through an SSL certificate. If the root certificate authority of the Amazon WorkSpaces service cannot be verified, the client application displays an error and prevents any connection to the service. The most common cause is a proxy server that is removing the root certificate authority and returning an incomplete certificate to the client application. Contact your network administrator for additional help.

I'm having trouble when I try to connect to my WorkSpace using Web Access

Some WorkSpaces rely on a specific logon screen configuration to enable you to log on from your Web Access client. For example, depending on the type of WorkSpace, your network administrator may need to configure a Group Policy setting and a Local Security Policy setting to enable you to log on to your WorkSpace from your Web Access client. If these two settings are not correctly configured, you may experience long logon times or black screens when you try to log on to your WorkSpace. Contact your network administrator for additional help.

I see the following error message: "Your device is not able to connect to the WorkSpaces Registration service."

When registration service failure occurs, you might see the following error message on the Connection Health Check page: "Your device is not able to connect to the WorkSpaces Registration service. You will not be able to register your device with WorkSpaces. Please check your network settings."

This error occurs when the WorkSpaces client application can't reach the registration service. Typically, this happens when the WorkSpaces directory has been deleted. To resolve this error, make sure that the registration code is valid and corresponds to a running directory in the AWS cloud.