Linux VDA 1912 on Ubuntu - getting "Invalid Login" when trying to authenticate using FAS

[Koenraad Willems]

Hi,

 

We have a CVAD environment, all Windows VDI desktops, but I am now trying to get Linux VDA to work.

Environment:

• CVAD 1903 - using VDI exclusively (XenDesktop)
• Ubuntu 18.04.3 LTS with VDA 1912 LTSR
  Correctly joined to the AD domain using Winbind
  Linux VDA is set up correctly and is registered with the broker
• Using FAS 1903
  FAS setup works correctly for the Windows VDI desktops, SSO into the desktop works using user certificates
• Connecting in from external, using NetScaler 12.1
  This also works correctly for the Windows VDI desktops, in combination with FAS

 

When I logon to the desktop, I get a "Invalid Login" message box. I have seen the troubleshooting documentation about this, which mentions it is related to the root CA certificate:

https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration/federated-authentication-service.html#troubleshooting

However, the root CA certificate is added correctly. I do have to add that is is an internally signed one, and the FAS servers have a certificate based off of that root CA. I'm not sure if that is the issue.

 

Here is an excerpt from the hdx log:

 

2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: receive_data: Entry
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: receive_data: message received; type=4, length=606, data=0x5623ee29f520, seq = 0
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: receive_data: XFrame: Begin Logon(usr='koenraad_8LJ4GH@xxxxx.com', Not Anonymous session , prompt=0, isReconnect=0, credentialsType is 2, client='HTML-    6271-6147')
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: Audit_login_box: Not yet implemented
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: receive_data: FAS login...
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: workaround_username: The input username is koenraad_8LJ4GH@xxxxx.com.
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: workaround_username: The stricpy name is koenraad_8LJ4GH, domain is xxxxxx, realm is xxxxx.com.
2020-02-17 10:02:09.189 <P2627:S2> citrix-ctxlogin: workaround_username: Workaround passwd entry is gdaas\koenraad_8LJ4GH.
2020-02-17 10:02:09.190 <P2587:S2> citrix-ctxgfx: ConfDBQueryValueEx: Query value: System\CurrentControlSet\Control\Citrix\Thinwire\ MaxLatency error OBJECT_NAME_NOT_FOUND
2020-02-17 10:02:09.190 <P2587:S2> citrix-ctxgfx: GfxGetThinwireSetting: Unable to read value for key: MaxLatency
2020-02-17 10:02:14.035 <P2587:S2> citrix-ctxgfx: ConfDBQueryValueEx: Query value: Software\Citrix\Ica\Session\2\Connection\ UserName error OBJECT_NAME_NOT_FOUND
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: workaround_username: Passwd entry found : pPwd->(name='XXXXX\koenraad_8lj4gh'; dir='/home/XXXXX/koenraad_8lj4gh'')
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: workaround_username: The output username is koenraad_8LJ4GH@XXXXX.COM.
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: receive_data: workaround username is koenraad_8LJ4GH@XXXXX.COM
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: LoginBoxValidate: cred_type [2],about to validate user 'koenraad_8LJ4GH@XXXXX.COM'
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: validate_user: Entry, uid=999, euid=999.
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: validate_user: [Logon Type] Federated Authentication Logon.
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: LoginFasValidate: entry.
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: start_fas: entry, fas_index = 1
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: entry.
2020-02-17 10:02:15.312 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.324 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: exit.
2020-02-17 10:02:15.325 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: entry.
2020-02-17 10:02:15.325 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.334 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: exit.
2020-02-17 10:02:15.334 <P2627:S2> citrix-ctxlogin: start_fas: exit, fas channel is ready.
2020-02-17 10:02:15.334 <P2627:S2> citrix-ctxlogin: obtain_certificate_handle: entry.
2020-02-17 10:02:15.334 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.349 <P2627:S2> citrix-ctxlogin: obtain_certificate_handle: exit.
2020-02-17 10:02:15.349 <P2627:S2> citrix-ctxlogin: LoginFasValidate: exit, check success.
2020-02-17 10:02:15.351 <P2627:S2> citrix-ctxlogin: pam_callback: Entry 1 messages
2020-02-17 10:02:15.351 <P2627:S2> citrix-ctxlogin: pam_callback: msg 0, style 1
2020-02-17 10:02:15.363 <P2627:S2> citrix-ctxlogin: pam_callback: Entry 1 messages
2020-02-17 10:02:15.363 <P2627:S2> citrix-ctxlogin: pam_callback: msg 0, style 1
2020-02-17 10:02:15.363 <P2627:S2> citrix-ctxlogin: get_logon_certificate: entry.
2020-02-17 10:02:15.363 <P2627:S2> citrix-ctxlogin: check_caller: current process Id: 2627.
2020-02-17 10:02:15.364 <P2627:S2> citrix-ctxlogin: check_caller: current process Name: /opt/Citrix/VDA/bin/ctxlogin.
2020-02-17 10:02:15.364 <P2627:S2> citrix-ctxlogin: start_fas: entry, fas_index = 1
2020-02-17 10:02:15.364 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: entry.
2020-02-17 10:02:15.364 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.374 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: exit.
2020-02-17 10:02:15.374 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: entry.
2020-02-17 10:02:15.374 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.383 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: exit.
2020-02-17 10:02:15.383 <P2627:S2> citrix-ctxlogin: start_fas: exit, fas channel is ready.
2020-02-17 10:02:15.383 <P2627:S2> citrix-ctxlogin: get_public_certificate: entry.
2020-02-17 10:02:15.383 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.403 <P2627:S2> citrix-ctxlogin: get_public_certificate: exit.
2020-02-17 10:02:15.403 <P2627:S2> citrix-ctxlogin: fas_base64_decode: input size 2380.
2020-02-17 10:02:15.403 <P2627:S2> citrix-ctxlogin: fas_base64_decode: output size 1785.
2020-02-17 10:02:15.403 <P2627:S2> citrix-ctxlogin: get_logon_certificate: exit, get logon certificate success.
2020-02-17 10:02:15.573 <P2627:S2> citrix-ctxlogin: pam_callback: Entry 1 messages
2020-02-17 10:02:15.573 <P2627:S2> citrix-ctxlogin: pam_callback: msg 0, style 1
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: pam_callback: Entry 1 messages
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: pam_callback: msg 0, style 1
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: get_logon_certificate: entry.
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: check_caller: current process Id: 2627.
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: check_caller: current process Name: /opt/Citrix/VDA/bin/ctxlogin.
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: start_fas: entry, fas_index = 1
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: entry.
2020-02-17 10:02:15.579 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.588 <P2627:S2> citrix-ctxlogin: sayhello2fas_convertcredential: exit.
2020-02-17 10:02:15.588 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: entry.
2020-02-17 10:02:15.588 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.597 <P2627:S2> citrix-ctxlogin: sayhello2fas_logoncsp: exit.
2020-02-17 10:02:15.597 <P2627:S2> citrix-ctxlogin: start_fas: exit, fas channel is ready.
2020-02-17 10:02:15.597 <P2627:S2> citrix-ctxlogin: get_public_certificate: entry.
2020-02-17 10:02:15.597 <P2627:S2> citrix-ctxlogin: query2fas: waiting for response...
2020-02-17 10:02:15.608 <P2627:S2> citrix-ctxlogin: get_public_certificate: exit.
2020-02-17 10:02:15.608 <P2627:S2> citrix-ctxlogin: fas_base64_decode: input size 2380.
2020-02-17 10:02:15.608 <P2627:S2> citrix-ctxlogin: fas_base64_decode: output size 1785.
2020-02-17 10:02:15.608 <P2627:S2> citrix-ctxlogin: get_logon_certificate: exit, get logon certificate success.
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: validate_user: pam_authenticate err,can retry for user koenraad_8LJ4GH@XXXXX.COM
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: logout_user: closing session and pam transaction.
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: validate_user: Exit (user=koenraad_8LJ4GH@XXXXX.COM)=INVALID_PASSWORD
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: LoginBoxValidate: failed validation of user 'koenraad_8LJ4GH@XXXXX.COM', INVALID_PASSWORD
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: Audit_login_failure: Not yet implemented
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: receive_data: Exit SUCCESS
2020-02-17 10:02:17.742 <P2627:S2> citrix-ctxlogin: DisplayLabelBox: Entry
2020-02-17 10:02:17.757 <P2627:S2> citrix-ctxlogin: DisplayLabelBox: x 835 y 517, ScrnWidth 1920 ScrnHeight 1096, Width 250 Height 62
2020-02-17 10:02:17.757 <P2627:S2> citrix-ctxlogin: DisplayLabelBox: Exit

 

Just wondering if anyone has any idea what to look for?

It's not an option to disable FAS, as that is site-wide and this is a production environment.

 

Thanks,

 

Koenraad

 

[yanxin zhang]

Hi,

Im not test FAS yeat, base the support i found:

https://support.citrix.com/article/CTX269560

and

https://support.citrix.com/article/CTX269565

 

Quote

Impact to Citrix Technology

This update will not impact Citrix Virtual App and Desktop Windows components: The update anticipated for the second half of 2020 requires SSL/TLS encryption for communication occurring over 389 and 636 to prevent any PLAINTEXT communication over both ports.  Virtual App and Desktop Windows components do not rely on PLAINTEXT communication over 389.
The update may impact Linux VDA.  Linux VDA depends on LDAP for VDA registration and policy evaluation. To resolve, configure LDAPS for Linux VDA. 
The update may impact Citrix ADC/GW LDAP communication if the customer has configured the LDAP Service for PLAINTEXT. To resolve, you should modify the LDAP to use TLS or SSL as described in CTX269461.

 

Wish this help......

[Maik Giessler1709153323]

We have the exact same issue. Did you find a solution?