Cannot start app - FAS Federated SAML cannot issue certificate for different domain user

[William Chu]

hi

I deployed xenapp 7.14.1 with FAS for SAML sso adn storefront 3.11 (all latest version);

 

• everything works fine for domain users in domain A (where all the servers live);
• but users in domain B after sso-ing into storefront cannot open apps.

 

I've already applied this fix for different domain users and rebooted all servers:

https://support.citrix.com/article/CTX220497

• the fact domainB users can sso in with adfs saml makes it seem ok.

 

domain B users can sso fine with adfs into the storefront, they can see all the apps.

but it wont open "cannot start app"

 

when this issue occurs; these are the logs:

 

1) on the DDC/Storefront server (hosted on same server) ;

 

Failed to launch the resource 'Controller.Notepad' using the Citrix XML Service at address '??'. An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.

Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.Diagnostics.FasException, Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider, Version=3.11.0.0, Culture=neutral, PublicKeyToken=null

An unknown error occurred interacting with the Federated Authentication Service. See the inner exception for more details.

   at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)

   at com.citrix.wing.core.mpssourceimpl.MPSFarmFacade.GetVdaLogonData(Context context)

   at com.citrix.wing.core.mpssourceimpl.MPSFarmFacade.GetAddress(Context ctxt, String appName, String deviceId, String clientName, Boolean alternate, MPSAddressingType requestedAddressType, String friendlyName, String hostId, String hostIdType, String sessionId, NameValuePair[] cookies, ClientType clientType, String retryKey, LaunchOverride launchOverride, Nullable`1 isPrelaunch, Nullable`1 disableAutoLogoff, Nullable`1 tenantId, String anonymousUserId)

   at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.GetAddress(Context env, String appName, String deviceId, String clientName, Boolean alternate, MPSAddressingType requestedAddressType, String friendlyName, String hostId, String hostIdType, String sessionId, NameValuePair[] cookies, ClientType clientType, String retryKey, LaunchOverride launchOverride, Nullable`1 isPrelaunch, Nullable`1 disableAutoLogoff, Nullable`1 tenantId, String anonymousUserId)

   at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.LaunchRemoted(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at com.citrix.wing.core.mpssourceimpl.MPSLaunchImpl.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at com.citrix.wing.core.applyaccessprefs.AAPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at com.citrix.wing.core.clientproxyprovider.CPPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at com.citrix.wing.core.connectionroutingprovider.CRPLaunch.LaunchInternal(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams, Boolean useAlternateAddress)

   at com.citrix.wing.core.connectionroutingprovider.CRPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at com.citrix.wing.core.bandwidthcontrolprovider.BCPLaunch.Launch(Dictionary`2 parameters, Context env, AppLaunchParams appLaunchParams)

   at Citrix.DeliveryServices.ResourcesCommon.Wing.WingAdaptors.OverrideIcaFileLaunch.Launch(Dictionary`2 launchParams, Context env, AppLaunchParams appLaunchParams)

   at Citrix.DeliveryServices.ResourcesCommon.Wing.WingAdaptors.LaunchUtilities.IcaLaunch(IRequestWrapper request, Resource resource, LaunchSettings launchSettings, String retryKey)

 

System.ServiceModel.FaultException`1[[Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServerFault, Citrix.Authentication.UserCredentialServices, Version=7.12.100.73, Culture=neutral, PublicKeyToken=a80ce61cfbf8b47a]], System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Access Denied

 

Server stack trace: 

   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

 

Exception rethrown at [0]: 

   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   at Citrix.Authentication.UserCredentialServices.IConvertCredentials.CreateCookie(String upn, String sid, String role, String securityContext)

   at Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServer.AssertIdentity(String userPrincipalName, SecurityIdentifier sid, String userRole, String securityContext)

   at Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.FasLogonDataProvider.GetVdaLogonData(IClaimsPrincipal claimsPrincipal, HttpContextBase httpContext)

 

2) on the FAS server:

[s123] Server [DOMAINA\***DDC1$] failed to issue a certificate for UPN [w_chu@domainB].  For details, check the Microsoft Certification Authority "Failed Requests" logs.

 

3) on the certificate authority server - FAILED REQUEST LOG:

Configuration information couldnt not be read from the domain controller, either because the machine is unavilable, or access has been denied. 0x80070547 (WIN32; 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)

requester name: domainB\w_chu

 

Ive adjusted the FAS server rules to allow all domain users from domain B to use FAS.

[nicolas garcia1709161125]

Hi, I had exacly the same event LOG and problem. 

The solution was in the FAS console:

--> In step 3 deautorize, and then reautorize,

--> Then you have to "issue" the certificat in your ROOT CA (In Pending requests)

--> Set UserRules as it was before and reAdd your storefront in the "List of storefront servers that can use this rule " in FAS console

This actions renew the certificate used by the FAS when it request user's certificate to root CA.

 

[William Chu]

I understand there is also the shadow account option.

which we want to avoid if possible since both domain have full trust with each other.

 

i test by creating an AD account in domainA with same upn.

-i login to adfs as the domain B credentials

-i get passed to storefront

-storefront actually lists me as logged in as the domain A shadow account, so i have to assign icons to the shadow account as well..which is a pain.

-apps can open fine; but the citrix profile is under the domain A shadow account not domain B user profile.

[Georg Hoeher]

Hi William,

 

you wrote that there is a full trust established beween the domains.

If this is true, why do you try to use FAS? If you have a trust, the users should be able to SSO without FAS (at least as far as I remember) ...

Or is there any requirement that you have to use SAML?

[William Chu]

yeah so we have full 2way trust, external type, both domain as single layer domains the only one in its forest.

 

we have a website using ADFS as the authentication, so from the website we want users to sso into citrix storefront; so FAS with saml auth was perfect. 

 

User from domain B and A can sign into adfs fine, sso into citrix storefront fine, can see their citrix icons fine. domain B can't open any apps is the issue because the certificate authority fails to issue the cert for auth into the xenapp vda servers. CA error:

"Configuration information couldnt not be read from the domain controller, either because the machine is unavilable, or access has been denied. 0x80070547 (WIN32; 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)"

 

-granted domain B users and computers full access to the citrix templates

-granted domain B users access via FAS rules

-domain B users can have cert issued from domain A CA fine for other types of certs outside citrix; as domain B computers autoenroll certs from domain A all the time, and i can manually request a cert as a domian B users for a simple cert. I cant manually request the citrix_smartcardlogon cert as a domain B or A user, the citrix template prohibits this i think.

 

opened case with citrix, the tech didnt sound confident about this scenario, and tried all the things i already had in place of granting permissions. and then just leaned back on the scenario of creating shadow account so he can close the case.

 

opened a case with microsoft to check the CA, and they said its functioning fine, and couldnt give me any reason/clues about the error; but to be fair to them, the whole process of the FAS server requesting the cert under the hood is not something they know or I know very well...but citrix should know..

[Georg Hoeher]

Hi,

 

ok, I understand.

 

I don't know if you checked https://support.citrix.com/article/CTX220497.

There is another error message, but the topic of this article is "Users from one AD Domain not able to get FAS user certificates from another trusted domain." which at least sounds similar to your issue.

 

Also, did you check the enrollment agent tab in the Certificate Template, if it allows to issue certificates for users in domain B (should be the 'permissions'-section in the Enrollment Agents Tab of the Template).

 

And one more question. Are the Domain Controllers in domain A all Global Catalog servers? Otherwise you might need to enable the EnableLDAPReferrals flag in the CA. This is because at startup of the CA it caches a DC name in the forest root to bind to AD. During a request, it then tries to convert a sAmAccountName to a corresponding DistinguishedName. If the DC is not a GC, the DC return an error message, that it's an unknown user and gives a referal to another domain in the forest. But by default a Microsoft CA is not able to handle the LDAP referral and the request fails.

To enable the capability to use LDAP Referals, run

'Certutil -SetReg Policy\EditFlags +EDITF_EnableLDAPReferrals'

and restart the services. But in this case I would expect, that also computers in domain B wouldn't be able to issue certificates ...

 

 

 

[William Chu]

yeah i had that fix link in original post; applied during deployment of fas, but no luck with this issue.

yep all DCs are GC.

and enrollment agent is a sub ca setting not a template setting, but its set to do nto restrict; so its wide open.

 

[Georg Hoeher]

Sorry, my fault. You are right, entrollment agent is a setting in the CA configuration not in the template.

Anyway, as the is no restriction configured in your environment and all DCs are GC and also the fix did not help, I'm running out of ideas now.

 

There is one last idea at the moment.

Did you ever try to manually generate the certificate via powershell to see if the same error appears?

There is a cmdlet called new-fasusercertificate available to  (pre-)generate certificates for a given UPN.

You can find a detailed description of the cmdlets here: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-14/secure/federated-authentication-service/fas-config-manage/fas-ps-sdk.html

[William Chu]

i couldnt find info on generating a cert from the smartlogin template using the powershell cmd. the docs mainly specified generating a cert to have it go to pending before manually issuing it to validate the 3rd authorization in the FAS setup.

 

but i didnt make a copy of the citrix_smartcardlogon template before; adjusted the "issuance requirements properties" so it doesn't require authorized signature to allow me to go through a manual cert request in MMC.

 

 

and that manual request through mmc using the copied template worked, it issued a cert for the domain B user. but when i adjusted the original template to also not have issuance requirements; same error as before when going through a SSO login and clicking a xenapp icon.

[Christopher Grider]

I realize this post was from over a year ago, but any luck getting this to work?

[William Chu]

ended up just sticking with shadow accounts.

in few months looking to try raise AD functional level in the other domain to 2012 r2 and seeing if that helps with teh trust, but not thinking it will help.

[Santos Benito Herreros]

Hello

 

I had that problem and I solved it like this.

 

The CA cannot obtain the user's data because it does not have access to the user's information to create the CSR. I think this is because an external relation does not have permission for: DomainInfo (For every domain)

 

 

This has been solved  changing the option from Build from AD to Supply in the request in the certificate template.

 

 

[Bo Orluff1709164192]

I had the same problem where FAS didn't work in multi domains with 2 ways trust, but this setting also worked for me to.

Change setting in Citrix_Smartcardlogin certificate template Properties. from Build from this Active Directory information to Supply in the request. You Change this setting on the Microsoft CA server in MMC Certificates Templates.

Thanks for a good post Santos Benito Herreros ?