Jump to content
Welcome to our new Citrix community!
  • 0

Published Desktops: Using Citrix FAS, child domains are prompting for credentials when launching the desktops.


Doug Chambers

Question

We are using SAML with an external MFA solution through Netscaler and Storefront using FAS to our published desktops in Xendesktop.

 

We have multiple Forests in our environment as well as child domains. When publishing a desktop from the primary domain where the FAS server is installed, the desktop launches and logs it automatically using the FAS server and smartcard cert.

 

When publishing a desktop from a child domain or from another forest, the desktop doesn't log in automatically and prompts for credentials.

 

My objective:

When publishing desktops from child domains or from another forest, I'd like these desktops to login automatically without prompting credentials and instead use the FAS server.

 

I've been searching for a KB article to achieve this but I'm falling short. Can anyone point me in the right direction?

 

EDIT:

I just noticed the CitrixFAS Policy doesn't exist in the child domain's GPO. Maybe I need to add this policy to the child domains GPO? I'll give this a shot.

 

 

EDIT:

I'm not sure this is beneficial, but additional details are always good. My first issue was none of the published desktops from any of the child domains wouldn't register with the delivery controller. I resolved that issue this morning by adding the DDC's SID and enabling multiple forest support via this KB:

Successfully Deploying XenDesktop in a Complex Active Directory Environment (citrix.com) 

 

Thanks.

Link to comment

12 answers to this question

Recommended Posts

  • 0

I was able to get this working by editing "User Rules" in "Citrix Federated Authentication Service Configuration". I added all of the domain\domain computers to the Security Access Control Lists "List of VDA Desktops and Servers that can be logged into by this rule". Once I added all domains it started working as intended. 

  • Like 1
Link to comment
  • 1

No. FAS is doing nothing more than generating Smart Card certificates. The VDA then uses the Smart Card certificate to authenticate to a domain controller. The certificate contains the user's UPN and the VDA attempts to login using that UPN and the certificate's private key. Maybe the VDA's domain controller doesn't know the user's UPN. Or maybe there's some other certificate trust issue. If you Google for smart cards Windows you'll find many guides for troubleshooting smart card authentication.

  • Like 1
Link to comment
  • 0
1 hour ago, Carl Stalhood1709151912 said:

 

I added the delivery controller/storefront server as well as the FAS server to the windows authorization group on the child domain. I'm still having the same issue. 

 

However, looking at the logs on the FAS server and Pubished desktop I'm seeing these in event viewer. 

 

FAS Server

[S205] Calling account [****************] is not a relying party in role [default]

 

Published desktop

[S104] Identity Assertion Logon failed.  Failed to connect to Federated Authentication Service: UserCredentialService [Address: ***************************][Index: 0] [Error: Access Denied 
Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Citrix.Authentication.UserCredentialServices.IConvertCredentials.CheckAvailableCredentials(String cookie, String& upn, String& userSid)
   at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass8.<QueryLogonMethod>b__7()]

Link to comment
  • 0
14 hours ago, Carl Stalhood1709151912 said:

Does the Rule > Restrictions > Manage user permissions include users from the other domain?

Where are these rules? 

Citrix Federated Authentication Service Configuration?

 

Edit:

I believe I've found what you're referring to under Security Access Control Lists. I'm going to add the other domains users and I'll report back. 

 

Thanks.

Edited by Doug Chambers
Located referenced rules.
Link to comment
  • 0
19 hours ago, Carl Stalhood1709151912 said:

Does the Rule > Restrictions > Manage user permissions include users from the other domain?

Carl,

 

I spoke too soon. The following resolved my issues for VDA Desktops in the child domains:

 

I was able to get this working by editing "User Rules" in "Citrix Federated Authentication Service Configuration". I added all of the domain\domain computers to the Security Access Control Lists "List of VDA Desktops and Servers that can be logged into by this rule". Once I added all domains it started working as intended. 

 

However, I'm still having troubles with the other forest in which I have a two way transitive trust setup with.  I have a VDA Desktop in trusted forest, and I can launch the session, but it shows "invalid username and password".  I've added both the domain\domain computers and domain\domain users to the Citrix federated authentication service.

 

I also added all citrix servers and vda's to "Windows Authorization Access Group" 

 

 

The error on the VDA Desktop I'm seeing is this:

 

The client has failed to validate the domain controller certificate for "domain controller fqdn generic placeholder". The following error was returned from the certificate validation process: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

 

Any ideas?

Edit: On the domain controller in the other forest I'm also seeing Audit Failure 4625 event.
Failure Information:
    Failure Reason:        An Error occured during Logon.
    Status:            0xC000006D
    Sub Status:        0xC000040D
 

Edited by Doug Chambers
Additional information
Link to comment
  • 0
2 hours ago, Carl Stalhood1709151912 said:

Is the CA root certificate added to NTAuth in the other domain? https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store

 

Is it also added as a Trusted Root in the other domain?

 

The certificate was not added. I have added it to both locations, and I'm no longer seeing certificate errors in event log. However, I do still have the problem with invalid username or password. 

Do I need to configure a CA in the other forest as well, and then add it to Citrix federated authentication service configuration? At this time I only have the one CA in my primary domain. 

Link to comment
  • 0
5 hours ago, Carl Stalhood1709151912 said:

No. FAS is doing nothing more than generating Smart Card certificates. The VDA then uses the Smart Card certificate to authenticate to a domain controller. The certificate contains the user's UPN and the VDA attempts to login using that UPN and the certificate's private key. Maybe the VDA's domain controller doesn't know the user's UPN. Or maybe there's some other certificate trust issue. If you Google for smart cards Windows you'll find many guides for troubleshooting smart card authentication.


This morning, looking at the VDA Desktop logs I noticed it was still barking about the certificate. So I ran "certutil -dspublish -f filename NTAuthCA" on the VDA Desktop as well as installed the root cert in the trusted root certificates area, and this resolved my issue.

 

I initially only ran certutil -dspublish on the domain controller in the forest, not realizing I needed to run it on the VDA desktop as well.  

 

I appreciate the help with this and I hope someone else finds this thread useful in the future. Thanks!

Link to comment
  • 0
On 9/22/2021 at 5:48 PM, Doug Chambers said:


This morning, looking at the VDA Desktop logs I noticed it was still barking about the certificate. So I ran "certutil -dspublish -f filename NTAuthCA" on the VDA Desktop as well as installed the root cert in the trusted root certificates area, and this resolved my issue.

 

I initially only ran certutil -dspublish on the domain controller in the forest, not realizing I needed to run it on the VDA desktop as well.  

 

I appreciate the help with this and I hope someone else finds this thread useful in the future. Thanks!


Hi Doug,
Hope you're doing fine! We ran into the same issue with child domains. Can you tell me how you ran the certutil -dspublish command? What did you use as filename? To be more clear: which certificate do we need to publish and where do I find it? Thanks for your help!

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...