Solved

Citrix Xenapp 7.9 Federated Service assist needed.  Error at VDA.

Posted on 2016-08-16
4
60 Views
Last Modified: 2016-10-25
Environment:
Netscaler NS11.1 47.14.nc
Xenapp 7.9
StoreFront 3.6
VDA 7.9 on W2k12R2
The current Radius+LDAP environment works. Need to convert to SAML.

I have followed some Citrix doc and other finding on the Citrix Federated Service setup. All looks good except I am having an issue in the last mile of the Xenapp 7.9 SAML Setup.  I get "The user name or password is incorrect" on the VDA
In SAML there is no username and password. I am puzzled.  

I worked with Citrix Support and we reviewed all the logs which indicated everything Citrix FAS works all the way to VDA. There are Event Logs indicating successful FAS Assertion. There is only one entry after searching everywhere that hints a lead.
Security Logs on VDA> Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC000040C
 
Web Finding pointed to Smart Card related but but we are not using Smart Card, we are using the Citrix FAS (Certificates).

Below are  Security Audit Logs from VDA that occur before the failure (This is the order found in the Event Log)
[Application Log]
Information      8/16/2016 4:58:07 AM      Citrix.Authentication.IdentityAssertion      106      None
[Security Log]
Audit Failure              8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4625      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4634      Logoff
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4624      Logon
Audit Success      8/16/2016 4:58:07 AM      Microsoft Windows security auditing.      4648      Logon

Any Idea?

Details of Logs below
----------------------------
Application Event ID 106
[S106] Identity Assertion Logon.  Logging in [Certificate: [Subject]
  CN=##### ####, OU=###, OU=######, DC=####, DC=com

[Issuer]
  CN=####-CA, DC=####, DC=com

[Serial Number]
  4C00#########################000FCA

[Not Before]
  8/14/2016 9:05:26 PM

[Not After]
  8/21/2016 9:05:26 PM

[Thumbprint]
  4A9FA###################FB7AB
]
------------------------------------------
Security Event ID 4625 <Audit Failure
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            ########B01$
      Account Domain:            ########
      Logon ID:            0x3E7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            #####@#####.com
      Account Domain:            

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xC000006D
      Sub Status:            0xC000040C

Process Information:
      Caller Process ID:      0x226c
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      #######B01
      Source Network Address:      ###.###.###.###
      Source Port:            51255

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------------------------------------------
Security Event ID 4634 <Audit Success
An account was logged off.

Subject:
      Security ID:            ##########\#####
      Account Name:            ######
      Account Domain:            #########
      Logon ID:            0xF##BC9

Logon Type:                  3

--------------------------------------------------
Security Event ID 4624 <Audit Success
An account was successfully logged on.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #########B01$
      Account Domain:            #########
      Logon ID:            0x3E4

Logon Type:                  3

Impersonation Level:            Identification

New Logon:
      Security ID:            ########\#####
      Account Name:            #######
      Account Domain:            ###########
      Logon ID:            0xF##BC9
      Logon GUID:            {59d###################9e914b7}

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Workstation Name:      ##########B01
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            C
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

---------------------------------
Security Event ID 4648 <Audit Success
A logon was attempted using explicit credentials.

Subject:
      Security ID:            NETWORK SERVICE
      Account Name:            #######B01$
      Account Domain:            ###########
      Logon ID:            0x3E4
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
      Account Name:            ####
      Account Domain:            ########
      Logon GUID:            {59d28################e914b7}

Target Server:
      Target Server Name:      localhost
      Additional Information:      localhost

Process Information:
      Process ID:            0xd5c
      Process Name:            C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe

Network Information:
      Network Address:      -
      Port:      
---------------------------------------------------------------------------
0
Comment
Question by:GGHC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41758771
are you also monitoring FAILED events? No failed events in the Security Log?
0
 

Author Comment

by:GGHC
ID: 41758795
Yes, Audit Failure is enabled.
One of the logs is:

Security Event ID 4625 <Audit Failure
An account failed to log on.

I did not come across any solution after doing Web search.
0
 

Accepted Solution

by:
GGHC earned 0 total points
ID: 41759540
Issue fixed. Had to do with Kerberos and CRL on the VDA. Applying the following resolved my issue.

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1, the Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL.
0
 

Author Closing Comment

by:GGHC
ID: 41769957
Reg Key fixed issue
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question