Jump to content
Welcome to our new Citrix community!
  • 0

Citrix FAS - Trusted domain kerberos errors


Martin Doverty1709161015

Question

We have Citrix servers (1903) and users in domain A. There is a two-way trust with all domains mentioned below.

 

When users in domain A log on to StoreFront a certificate is issued and the logon is completed using this certificate by means of Citrix FAS.

 

When users in domain B try to logon, a certificate is issued but an error message is received in the system event log on the VDA, security-kerbero:, A certificate chain could not be built to a trusted root authority. When checking the user certificate that has been issued on the VDA using certutil -urlfetch -verify certname.cer there are no errors.

 

When users in domain C try to logon, a certificate is issued but an error message is received in the system event log on the VDA, security-kerberos: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. When checking the user certificate that has been issued on the VDA using certutil -urlfetch -verify certname.cer there are no errors.

 

The CA issuing the CitrixSmartCardLogon certificates is in domainA, the FAS server is also here.

 

The intermediate and root certificates are installed on the VDA.

 

The users from domain B and C have been added to the FAS rule ACL and the servers have been added to the other domains Windows Authorization Access Group

Link to comment

3 answers to this question

Recommended Posts

  • 0
1 minute ago, Carl Stalhood1709151912 said:

Are the root certificate and intermediate certificates imported to the NTAuth Certificate Store in each domain? https://support.microsoft.com/en-us/help/295663/how-to-import-third-party-certification-authority-ca-certificates-into

 

Hi Carl,

 

The issuing CA intermediate's and RootCA (from domain A) certificates are not currently in the other trusted domains NTAuth store

 

I was trying to comprehend if they would be required here, but perhaps the domain controllers in B and C will be checking them as part of processing a logon and thus they would be required?

 

Thanks,

Martin

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...