the fact domainB users can sso in with adfs saml makes it seem ok.
domain B users can sso fine with adfs into the storefront, they can see all the apps.
but it wont open "cannot start app"
when this issue occurs; these are the logs:
1) on the DDC/Storefront server (hosted on same server) ;
Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.
An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.
at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)
at com.citrix.wing.core.mpssourceimpl.MPSFarmFacade.GetVdaLogonData(Context context)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Citrix.Authentication.UserCredentialServices.IConvertCredentials.CreateCookie(String upn, String sid, String role, String securityContext)
at Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServer.AssertIdentity(String userPrincipalName, SecurityIdentifier sid, String userRole, String securityContext)
at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)
2) on the FAS server:
[s123] Server [DOMAINA\***DDC1$] failed to issue a certificate for UPN [w_chu@domainB]. For details, check the Microsoft Certification Authority "Failed Requests" logs.
3) on the certificate authority server - FAILED REQUEST LOG:
Configuration information couldnt not be read from the domain controller, either because the machine is unavilable, or access has been denied. 0x80070547 (WIN32; 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)
requester name: domainB\w_chu
Ive adjusted the FAS server rules to allow all domain users from domain B to use FAS.
Question
William Chu
hi
I deployed xenapp 7.14.1 with FAS for SAML sso adn storefront 3.11 (all latest version);
I've already applied this fix for different domain users and rebooted all servers:
https://support.citrix.com/article/CTX220497
domain B users can sso fine with adfs into the storefront, they can see all the apps.
but it wont open "cannot start app"
when this issue occurs; these are the logs:
1) on the DDC/Storefront server (hosted on same server) ;
Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.
Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.Diagnostics.FasException, Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider, Version=3.11.0.0, Culture=neutral, PublicKeyToken=null
An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.
at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)
at com.citrix.wing.core.mpssourceimpl.MPSFarmFacade.GetVdaLogonData(Context context)
at com.citrix.wing.core.mpssourceimpl.MPSFarmFacade.GetAddress(Context ctxt, String appName, String deviceId, String clientName, Boolean alternate, MPSAddressingType requestedAddressType, String friendlyName, String hostId, String hostIdType, String sessionId, NameValuePair[] cookies, ClientType clientType, String retryKey, LaunchOverride launchOverride, Nullable`1 isPrelaunch, Nullable`1 disableAutoLogoff, Nullable`1 tenantId, String anonymousUserId)
at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.GetAddress(Context env, String appName, String deviceId, String clientName, Boolean alternate, MPSAddressingType requestedAddressType, String friendlyName, String hostId, String hostIdType, String sessionId, NameValuePair[] cookies, ClientType clientType, String retryKey, LaunchOverride launchOverride, Nullable`1 isPrelaunch, Nullable`1 disableAutoLogoff, Nullable`1 tenantId, String anonymousUserId)
at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.LaunchRemoted(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at com.citrix.wing.core.applyaccessprefs.AAPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at com.citrix.wing.core.clientproxyprovider.CPPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at com.citrix.wing.core.connectionroutingprovider.CRPLaunch.LaunchInternal(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams, Boolean useAlternateAddress)
at com.citrix.wing.core.connectionroutingprovider.CRPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at com.citrix.wing.core.bandwidthcontrolprovider.BCPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)
at Citrix.DeliveryServices.ResourcesCommon.Wing.WingAdaptors.OverrideIcaFileLaunch.Launch(Dictionary`2 launchParams, Context env, AppLaunchParams appLaunchParams)
at Citrix.DeliveryServices.ResourcesCommon.Wing.WingAdaptors.LaunchUtilities.IcaLaunch(IRequestWrapper request, Resource resource, LaunchSettings launchSettings, String retryKey)
System.ServiceModel.FaultException`1[[Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServerFault, Citrix.Authentication.UserCredentialServices, Version=7.12.100.73, Culture=neutral, PublicKeyToken=a80ce61cfbf8b47a]], System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Access Denied
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Citrix.Authentication.UserCredentialServices.IConvertCredentials.CreateCookie(String upn, String sid, String role, String securityContext)
at Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServer.AssertIdentity(String userPrincipalName, SecurityIdentifier sid, String userRole, String securityContext)
at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)
2) on the FAS server:
[s123] Server [DOMAINA\***DDC1$] failed to issue a certificate for UPN [w_chu@domainB]. For details, check the Microsoft Certification Authority "Failed Requests" logs.
3) on the certificate authority server - FAILED REQUEST LOG:
Configuration information couldnt not be read from the domain controller, either because the machine is unavilable, or access has been denied. 0x80070547 (WIN32; 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)
requester name: domainB\w_chu
Ive adjusted the FAS server rules to allow all domain users from domain B to use FAS.
Link to comment
12 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now