• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 90
  • Last Modified:

Citrix Xenapp 7.9 Federated Service assist needed. Error at VDA.

Environment:
Netscaler NS11.1 47.14.nc
Xenapp 7.9
StoreFront 3.6
VDA 7.9 on W2k12R2
The current Radius+LDAP environment works. Need to convert to SAML.

I have followed some Citrix doc and other finding on the Citrix Federated Service setup. All looks good except I am having an issue in the last mile of the Xenapp 7.9 SAML Setup.  I get "The user name or password is incorrect" on the VDA
In SAML there is no username and password. I am puzzled.  

I worked with Citrix Support and we reviewed all the logs which indicated everything Citrix FAS works all the way to VDA. There are Event Logs indicating successful FAS Assertion. There is only one entry after searching everywhere that hints a lead.
Security Logs on VDA> Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
 
Web Finding pointed to Smart Card related but but we are not using Smart Card, we are using the Citrix FAS (Certificates).

Below are  Security Audit Logs from VDA that occur before the failure (This is the order found in the Event Log)
[Application Log]
Information      8/16/2016 4:58:07 AM      Citrix.Authentication.IdentityAssertion      106      None
[Security Log]
Audit Failure              8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4625      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4634      Logoff
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4624      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4648      Logon

Any Idea?

Details of Logs below
----------------------------
Application Event ID 106
[S106] Identity Assertion Logon.  Logging in [Certificate: [Subject]
  CN=##### ####, OU=###, OU=######, DC=####, DC=com

[Issuer]
  CN=####-CA, DC=####, DC=com

[Serial Number]
  4C00#########################000FCA

[Not Before]
  8/14/2016 9:05:26 PM

[Not After]
  8/21/2016 9:05:26 PM

[Thumbprint]
  4A9FA###################FB7AB
]
------------------------------------------
Security Event ID 4625 <Audit Failure
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            ########B01$
      Account Domain:            ########
      Logon ID:            0x3E7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            #####@#####.com
      Account Domain:            

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xC000006D
      Sub Status:            0xC000040C

Process Information:
      Caller Process ID:      0x226c
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      #######B01
      Source Network Address:      ###.###.###.###
      Source Port:            51255

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------------------------------------------
Security Event ID 4634 <Audit Success
An account was logged off.

Subject:
      Security ID:            ##########\#####
      Account Name:            ######
      Account Domain:            #########
      Logon ID:            0xF##BC9

Logon Type:                  3

--------------------------------------------------
Security Event ID 4624 <Audit Success
An account was successfully logged on.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #########B01$
      Account Domain:            #########
      Logon ID:            0x3E4

Logon Type:                  3

Impersonation Level:            Identification

New Logon:
      Security ID:            ########\#####
      Account Name:            #######
      Account Domain:            ###########
      Logon ID:            0xF##BC9
      Logon GUID:            {59d###################9e914b7}

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Workstation Name:      ##########B01
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            C
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------
Security Event ID 4648 <Audit Success
A logon was attempted using explicit credentials.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #######B01$
      Account Domain:            ###########
      Logon ID:            0x3E4
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
      Account Name:            ####
      Account Domain:            ########
      Logon GUID:            {59d28################e914b7}

Target Server:
      Target Server Name:      localhost
      Additional Information:      localhost

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Network Address:      -
      Port:      
---------------------------------------------------------------------------
0
GGHC
Asked:
GGHC
  • 3
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
are you also monitoring FAILED events? No failed events in the Security Log?
0
 
GGHCAuthor Commented:
Yes, Audit Failure is enabled.
One of the logs is:

Security Event ID 4625 <Audit Failure
An account failed to log on.

I did not come across any solution after doing Web search.
0
 
GGHCAuthor Commented:
Issue fixed. Had to do with Kerberos and CRL on the VDA. Applying the following resolved my issue.

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1, the Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL.
0
 
GGHCAuthor Commented:
Reg Key fixed issue
0
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now