Jump to content
Welcome to our new Citrix community!
  • 0

[S104] Identity Assertion Logon failed. Failed to connect to Federated Authentication Service: UserCredentialService [Address:FAS-01][Index: 0] [Error: Access Denied ]


Yunus Kayhan1709158348

Question

Hi,

 

I've setup Citrix Federated Authentication on a Customer Site with Netscaler and Azure MFA.  We're seeing issue logging on to the VDA where the logon screen prompt that there aren't sufficient resources available and SSO fails. After clicking OK i can log log on my credentials. When checking the eventvwr, i see multiple Citrix Authentication Identity Assertion message's from which the first one has failed. See attachment.

 

IdentityAssertion.thumb.png.abc53258b6d2d65b3d311543da7c4a49.png

 

 

 

The error message contain the following;

 

[S104] Identity Assertion Logon failed.  Failed to connect to Federated Authentication Service: UserCredentialService [Address: xxx.fas-01.xxx.local][Index: 0] [Error: Access Denied 
Server stack trace: 
   bij System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   bij System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   bij System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   bij System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   bij System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   bij System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   bij Citrix.Authentication.UserCredentialServices.IConvertCredentials.CheckAvailableCredentials(String cookie, String& upn, String& userSid)
   bij Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass31_0.<QueryLogonMethod>b__0()]

 

We running Virtual Desktop 1906.2 on top of Windows 10 1903. xml trust is setup on the delivery controllers. FAS is enabled on a specific store. I've setup a GPO with the DNS entries of the FAS servers. No error message's on the fas servers en CA has issued a certificate. So don't see anything wrong on the site.

 

I can't seem to figure out what is causing this. Any help is much appreciated.

 

 

With kind regards.

Link to comment

8 answers to this question

Recommended Posts

  • 1

Hi,

Let's break it down for ease of troubleshooting:
- When you reproduce the issue, do you see event ID 105 and then 204 getting logged on the FAS?
- If the answer is no, we need to focus on FAS /CA/SF side configuration 
- If answer is yes then CA and FAS are working as intended and we can focus on VDA and logon process
- Event 204 will log user name and VDA to which certificate was handed over (Do validate this once)

If events are getting logged, perform below steps:
•    Reproduce the issue the issue
•    On FAS run: Get-FasUserCertificate -UserPrincipalName user@test.com -Address FAS@domain.com (edit command based on your domain name and username)
•    Copy the cmd output on a notepad --> save as .cer file and move it to VDA
•    On VDA run: certutil -verify -urlfetch test.cer

Check if cert is validated correctly or not? Look if you see errors against AIA and CRL checks!
If this does not work, we can go for CAPI2 logging (on VDA and DC) and network trace (on VDA) as next steps.

Hope this helps.

Cheers,
Aseem

  • Like 1
Link to comment
  • 0
On 12/19/2019 at 1:58 PM, Yunus Kayhan1709158348 said:

Hi Aseem,

 

Thank you for the quick reply. Events 105 and 204 are getting logged on the FAS and there are no error messages on the FAS servers. I've also validated the cer file and it also seems to be fine. 

 

anymore tip would be great.

 

Thnx

 

Hello,

 

did you get anywhere with this? We are facing a similar situation. Thank you.

Link to comment
  • 0
On 12/19/2019 at 8:00 AM, Aseem Shaikh said:

Hi,

Let's break it down for ease of troubleshooting:
- When you reproduce the issue, do you see event ID 105 and then 204 getting logged on the FAS?
- If the answer is no, we need to focus on FAS /CA/SF side configuration 
- If answer is yes then CA and FAS are working as intended and we can focus on VDA and logon process
- Event 204 will log user name and VDA to which certificate was handed over (Do validate this once)

If events are getting logged, perform below steps:
•    Reproduce the issue the issue
•    On FAS run: Get-FasUserCertificate -UserPrincipalName user@test.com -Address FAS@domain.com (edit command based on your domain name and username)
•    Copy the cmd output on a notepad --> save as .cer file and move it to VDA
•    On VDA run: certutil -verify -urlfetch test.cer

Check if cert is validated correctly or not? Look if you see errors against AIA and CRL checks!
If this does not work, we can go for CAPI2 logging (on VDA and DC) and network trace (on VDA) as next steps.

Hope this helps.

Cheers,
Aseem

 

Thanks Aseem!  This helped me identify the change in our CRL name and load balancer IP's.  ?

Link to comment
  • 0
On 12/19/2019 at 7:00 AM, Aseem Shaikh said:

Hi,

Let's break it down for ease of troubleshooting:
- When you reproduce the issue, do you see event ID 105 and then 204 getting logged on the FAS?
- If the answer is no, we need to focus on FAS /CA/SF side configuration 
- If answer is yes then CA and FAS are working as intended and we can focus on VDA and logon process
- Event 204 will log user name and VDA to which certificate was handed over (Do validate this once)

If events are getting logged, perform below steps:
•    Reproduce the issue the issue
•    On FAS run: Get-FasUserCertificate -UserPrincipalName user@test.com -Address FAS@domain.com (edit command based on your domain name and username)
•    Copy the cmd output on a notepad --> save as .cer file and move it to VDA
•    On VDA run: certutil -verify -urlfetch test.cer

Check if cert is validated correctly or not? Look if you see errors against AIA and CRL checks!
If this does not work, we can go for CAPI2 logging (on VDA and DC) and network trace (on VDA) as next steps.

Hope this helps.

Cheers,
Aseem

This was the best FAS troubleshooting advice I've seen!!!

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...