Solved

Citrix Xenapp 7.9 Federated Service assist needed.  Error at VDA.

Posted on 2016-08-16
  • Citrix
  • Active Directory
  • Encryption
  • Security
  • MS Server OS
  • +1
4
25 Views
Last Modified: 2016-10-25
Environment:
Netscaler NS11.1 47.14.nc
Xenapp 7.9
StoreFront 3.6
VDA 7.9 on W2k12R2
The current Radius+LDAP environment works. Need to convert to SAML.

I have followed some Citrix doc and other finding on the Citrix Federated Service setup. All looks good except I am having an issue in the last mile of the Xenapp 7.9 SAML Setup.  I get "The user name or password is incorrect" on the VDA
In SAML there is no username and password. I am puzzled.  

I worked with Citrix Support and we reviewed all the logs which indicated everything Citrix FAS works all the way to VDA. There are Event Logs indicating successful FAS Assertion. There is only one entry after searching everywhere that hints a lead.
Security Logs on VDA> Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
 
Web Finding pointed to Smart Card related but but we are not using Smart Card, we are using the Citrix FAS (Certificates).

Below are  Security Audit Logs from VDA that occur before the failure (This is the order found in the Event Log)
[Application Log]
Information      8/16/2016 4:58:07 AM      Citrix.Authentication.IdentityAssertion      106      None
[Security Log]
Audit Failure              8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4625      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4634      Logoff
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4624      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4648      Logon

Any Idea?

Details of Logs below
----------------------------
Application Event ID 106
[S106] Identity Assertion Logon.  Logging in [Certificate: [Subject]
  CN=##### ####, OU=###, OU=######, DC=####, DC=com

[Issuer]
  CN=####-CA, DC=####, DC=com

[Serial Number]
  4C00#########################000FCA

[Not Before]
  8/14/2016 9:05:26 PM

[Not After]
  8/21/2016 9:05:26 PM

[Thumbprint]
  4A9FA###################FB7AB
]
------------------------------------------
Security Event ID 4625 <Audit Failure
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            ########B01$
      Account Domain:            ########
      Logon ID:            0x3E7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            #####@#####.com
      Account Domain:            

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xC000006D
      Sub Status:            0xC000040C

Process Information:
      Caller Process ID:      0x226c
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      #######B01
      Source Network Address:      ###.###.###.###
      Source Port:            51255

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------------------------------------------
Security Event ID 4634 <Audit Success
An account was logged off.

Subject:
      Security ID:            ##########\#####
      Account Name:            ######
      Account Domain:            #########
      Logon ID:            0xF##BC9

Logon Type:                  3

--------------------------------------------------
Security Event ID 4624 <Audit Success
An account was successfully logged on.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #########B01$
      Account Domain:            #########
      Logon ID:            0x3E4

Logon Type:                  3

Impersonation Level:            Identification

New Logon:
      Security ID:            ########\#####
      Account Name:            #######
      Account Domain:            ###########
      Logon ID:            0xF##BC9
      Logon GUID:            {59d###################9e914b7}

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Workstation Name:      ##########B01
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            C
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------
Security Event ID 4648 <Audit Success
A logon was attempted using explicit credentials.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #######B01$
      Account Domain:            ###########
      Logon ID:            0x3E4
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
      Account Name:            ####
      Account Domain:            ########
      Logon GUID:            {59d28################e914b7}

Target Server:
      Target Server Name:      localhost
      Additional Information:      localhost

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Network Address:      -
      Port:      
---------------------------------------------------------------------------
0
Comment
Question by:GGHC
  • 3
4 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41758771
are you also monitoring FAILED events? No failed events in the Security Log?
0
 

Author Comment

by:GGHC
ID: 41758795
Yes, Audit Failure is enabled.
One of the logs is:

Security Event ID 4625 <Audit Failure
An account failed to log on.

I did not come across any solution after doing Web search.
0
 

Accepted Solution

by:
GGHC earned 0 total points
ID: 41759540
Issue fixed. Had to do with Kerberos and CRL on the VDA. Applying the following resolved my issue.

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1, the Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL.
0
 

Author Closing Comment

by:GGHC
ID: 41769957
Reg Key fixed issue
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now