Jump to content
Welcome to our new Citrix community!
  • 0

Citrix FAS/Azure AD SSO initial logon ok but intermittent issue with mapped drives missing and Kerberos error or windows prompt needing credentials. Klist empty. No internal issues


Cindy Vickers

Question

Citrix FAS/Azure AD has been implemented for several years and was working fine

Recently our Citrix FAS was pointed to new CAs and there was no issues after this - with logon or mapped drives missing etc

Roughly a week after this our Domain Controllers received KB5027219 (Server 2016 Domain Controller)  which appears to cause issues as described in this Citrix article:

'FAS will be able to get a user smart card logon certificate from the CA, VDA will be able to get it from the FAS server but the VDA will not be able to get the certificate validated by a domain controller.'

https://support.citrix.com/article/CTX479236/fas-information-about-microsoft-kb-kb5014754cve202234691-cve202226931-and-cve202226923?fbclid=IwAR0nS_kcvc82ot9P2KVKuSbgL2pL7PPQCjaLDweEqefiOQUIFFsew2ZVev0

Used Certutil -verify -urlfetch "cert" on FAS cert.  Passes all verification 

I can see Event 3: KDC_ERR_S_PRINCIPAL_UNKNOWN on the VDA
When running Wireshark on the VDA I can see  KRB Error: KRBKDC_ERR_S_PRINCIPAL_UNKNOWN packet between the VDA and Domain Controller

Also in Wireshark seeing ‘500 Internal Server error’ between FAS server and VDA.  

We are not having any issues internally, only our remote users are seeing this issue so believe this is a Citrix FAS/Kerberos issue with the VDA not being able to access the Domain Controller for FAS remote connections only

The Domain Controller certificate (Kerberos Authentication template) was created with the previous CA.  NTAuth has the new CA certs though

No event errors seen on StoreFront and Delivery Controllers/FAS servers.  Only on VDA with Event 107 and Event 3 KDC_ERR_S_PRINCIPAL_UNKNOWN

When the user logs on initally klist may have tickets and no issues - but when the issue occurs klist is empty - no cached tickets and we see Event ID 107 at the same time

Our Kerberos GPO settings in Default Domain policy match what is recommended in the article:  

https://support.citrix.com/article/CTX255423/error-event-id-107-citrixauthenticationidentityassertion-user-loses-access-to-mapped-network-drives-after-they-reconnect-to-disconnected-session

Hoping someone else might have seen this issue.  Citrix support have not had any suggestions so far

 

 

Event107_VDA.PNG

Event3_VDA.PNG

Citrix CTX479236.PNG

promptcreds.PNG

G_FAS.PNG

Link to comment

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...