Jump to content
Welcome to our new Citrix community!
  • 0

PVS Multi-domain issue


Martijn Kools

Question

Hello,

I have an issue with PVS in a multi-domain setup. The PVS server is member of domain2. My user account is member of (trusted) domain1. The PVS server is configured to use the network service account to talk to the DB server which is also in domain2. The PVS admin group is a group in domain1. The setup goes fine, but when I try to logon with domain1\username to the console I get the following error (also see attached screenshot).

 

Unable to connect to the Domain Controller (if any) or the default rootDSE. Error code: 16478929, message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), provider.

 

When I configure PVS using a service account from domain1 everything works ok. When I use a service account from domain2 I get the same error. I already tried the regkeys SkipForestLevelTrusts and DomainSelectOption with all possible values but this doesn't seem to make any difference.

 

Any idea how to solve this?

error.png

Link to comment

3 answers to this question

Recommended Posts

  • 0

Hello!

 

we have the same problem in our environment since February. We tried different workarounds but nothing has solved the problem. We are using PVS 1912 LTSR.

Also opened a Citrix case.... but no resolution yet.

 

We also see folowing error in the PVS eventlog:

 

The Security System has detected a downgrade attempt when contacting the 3-part SPN 

 LDAP/<FQDN>/<DOMAIN>

 

Regards

Kevin

Link to comment
  • 0

I reproduced this in my lab and confirm the workaround.   

If your PVS and admin accounts are in separate forests with two-way trust and the PVS servers are fully patched, you will see this error 100%. 

The only work around is to turn OFF the SpnDowngradeProtection with the registry key mentioned in this article. 

https://support.citrix.com/article/CTX472962/error-connecting-to-pvs-farm-with-credentials-from-trusted-domain

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...