GGHC
asked on
Citrix Xenapp 7.9 Federated Service assist needed. Error at VDA.
Environment:
Netscaler NS11.1 47.14.nc
Xenapp 7.9
StoreFront 3.6
VDA 7.9 on W2k12R2
The current Radius+LDAP environment works. Need to convert to SAML.
I have followed some Citrix doc and other finding on the Citrix Federated Service setup. All looks good except I am having an issue in the last mile of the Xenapp 7.9 SAML Setup. I get "The user name or password is incorrect" on the VDA
In SAML there is no username and password. I am puzzled.
I worked with Citrix Support and we reviewed all the logs which indicated everything Citrix FAS works all the way to VDA. There are Event Logs indicating successful FAS Assertion. There is only one entry after searching everywhere that hints a lead.
Security Logs on VDA> Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
Web Finding pointed to Smart Card related but but we are not using Smart Card, we are using the Citrix FAS (Certificates).
Below are Security Audit Logs from VDA that occur before the failure (This is the order found in the Event Log)
[Application Log]
Information 8/16/2016 4:58:07 AM Citrix.Authentication.Iden
[Security Log]
Audit Failure 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4625 Logon
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4648 Logon
Any Idea?
Details of Logs below
--------------------------
Application Event ID 106
[S106] Identity Assertion Logon. Logging in [Certificate: [Subject]
CN=##### ####, OU=###, OU=######, DC=####, DC=com
[Issuer]
CN=####-CA, DC=####, DC=com
[Serial Number]
4C00######################
[Not Before]
8/14/2016 9:05:26 PM
[Not After]
8/21/2016 9:05:26 PM
[Thumbprint]
4A9FA###################FB
]
--------------------------
Security Event ID 4625 <Audit Failure
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: ########B01$
Account Domain: ########
Logon ID: 0x3E7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: #####@#####.com
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
Process Information:
Caller Process ID: 0x226c
Caller Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: #######B01
Source Network Address: ###.###.###.###
Source Port: 51255
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--------------------------
Security Event ID 4634 <Audit Success
An account was logged off.
Subject:
Security ID: ##########\#####
Account Name: ######
Account Domain: #########
Logon ID: 0xF##BC9
Logon Type: 3
--------------------------
Security Event ID 4624 <Audit Success
An account was successfully logged on.
Subject:
Security ID: NETWORK SERVICE
Account Name: #########B01$
Account Domain: #########
Logon ID: 0x3E4
Logon Type: 3
Impersonation Level: Identification
New Logon:
Security ID: ########\#####
Account Name: #######
Account Domain: ###########
Logon ID: 0xF##BC9
Logon GUID: {59d###################9e9
Process Information:
Process ID: 0xd5c
Process Name: C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe
Network Information:
Workstation Name: ##########B01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: C
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--------------------------
Security Event ID 4648 <Audit Success
A logon was attempted using explicit credentials.
Subject:
Security ID: NETWORK SERVICE
Account Name: #######B01$
Account Domain: ###########
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-0
Account Whose Credentials Were Used:
Account Name: ####
Account Domain: ########
Logon GUID: {59d28################e914
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xd5c
Process Name: C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe
Network Information:
Network Address: -
Port:
--------------------------
Netscaler NS11.1 47.14.nc
Xenapp 7.9
StoreFront 3.6
VDA 7.9 on W2k12R2
The current Radius+LDAP environment works. Need to convert to SAML.
I have followed some Citrix doc and other finding on the Citrix Federated Service setup. All looks good except I am having an issue in the last mile of the Xenapp 7.9 SAML Setup. I get "The user name or password is incorrect" on the VDA
In SAML there is no username and password. I am puzzled.
I worked with Citrix Support and we reviewed all the logs which indicated everything Citrix FAS works all the way to VDA. There are Event Logs indicating successful FAS Assertion. There is only one entry after searching everywhere that hints a lead.
Security Logs on VDA> Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
Web Finding pointed to Smart Card related but but we are not using Smart Card, we are using the Citrix FAS (Certificates).
Below are Security Audit Logs from VDA that occur before the failure (This is the order found in the Event Log)
[Application Log]
Information 8/16/2016 4:58:07 AM Citrix.Authentication.Iden
[Security Log]
Audit Failure 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4625 Logon
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 8/16/2016 4:58:07 AM Microsoft Windows security auditing. 4648 Logon
Any Idea?
Details of Logs below
--------------------------
Application Event ID 106
[S106] Identity Assertion Logon. Logging in [Certificate: [Subject]
CN=##### ####, OU=###, OU=######, DC=####, DC=com
[Issuer]
CN=####-CA, DC=####, DC=com
[Serial Number]
4C00######################
[Not Before]
8/14/2016 9:05:26 PM
[Not After]
8/21/2016 9:05:26 PM
[Thumbprint]
4A9FA###################FB
]
--------------------------
Security Event ID 4625 <Audit Failure
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: ########B01$
Account Domain: ########
Logon ID: 0x3E7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: #####@#####.com
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
Process Information:
Caller Process ID: 0x226c
Caller Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: #######B01
Source Network Address: ###.###.###.###
Source Port: 51255
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--------------------------
Security Event ID 4634 <Audit Success
An account was logged off.
Subject:
Security ID: ##########\#####
Account Name: ######
Account Domain: #########
Logon ID: 0xF##BC9
Logon Type: 3
--------------------------
Security Event ID 4624 <Audit Success
An account was successfully logged on.
Subject:
Security ID: NETWORK SERVICE
Account Name: #########B01$
Account Domain: #########
Logon ID: 0x3E4
Logon Type: 3
Impersonation Level: Identification
New Logon:
Security ID: ########\#####
Account Name: #######
Account Domain: ###########
Logon ID: 0xF##BC9
Logon GUID: {59d###################9e9
Process Information:
Process ID: 0xd5c
Process Name: C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe
Network Information:
Workstation Name: ##########B01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: C
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--------------------------
Security Event ID 4648 <Audit Success
A logon was attempted using explicit credentials.
Subject:
Security ID: NETWORK SERVICE
Account Name: #######B01$
Account Domain: ###########
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-0
Account Whose Credentials Were Used:
Account Name: ####
Account Domain: ########
Logon GUID: {59d28################e914
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xd5c
Process Name: C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe
Network Information:
Network Address: -
Port:
--------------------------
David Johnson, CD
are you also monitoring FAILED events? No failed events in the Security Log?
ASKER
Yes, Audit Failure is enabled.
One of the logs is:
Security Event ID 4625 <Audit Failure
An account failed to log on.
I did not come across any solution after doing Web search.
One of the logs is:
Security Event ID 4625 <Audit Failure
An account failed to log on.
I did not come across any solution after doing Web search.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Reg Key fixed issue