Jump to content
Welcome to our new Citrix community!
  • 0

FAS some users get [S104] Identity Assertion Logon failed

Jeroen Hulst1709158162


Whe have setup on the customer site Azure SAML with Netscaler and 2 FAS servers. All was working fine until 2 weeks ago.

Everyday a few users ( 10 of 150) get an error when they login to Citrix ( the application is not supported) . When we look into the FAS/CA servers we don't see any error. 

When we look into the VDA servers we see the following event on the moment a user gets this messag:


[S104] Identity Assertion Logon failed.  Failed to connect to Federated Authentication Service: UserCredentialService [Address: **********][Index: 0] [Error: Access Denied (FAS server '*******' correlation: 65fc2983-21a7-48d4-a65e-d967da06f496) 
Server stack trace: 
   bij System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   bij System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   bij System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   bij System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   bij System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   bij System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   bij Citrix.Authentication.UserCredentialServices.IConvertCredentials.CheckAvailableCredentials(String cookie, String& upn, String& userSid)
   bij Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass24_0.<QueryLogonMethod>b__0()]

Link to comment

4 answers to this question

Recommended Posts

  • 0

Have you verified the following things?

  • On each FAS server, are the authorization certificates still valid?
  • Does each FAS server have rules consistently configured?
    • Consistent template, consistent certificate authority, consistent StoreFront access permissions, consistent user/VDA permissions?
  • Are all FAS servers/rule names accounted for within your FAS GPO?
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...