Cant login into trusted domain due SOAP error message ( [S104] Identity Assertion Logon failed ) FAS / SAML / Multidomain

[Andreas Daalder1709160649]

Hello @all,

 

Hope someone can help me with my multidomain Citrix Setup issue.

I have a multidomain setup and a issue with login into XENAPP in a trusted domain via OKTA / SAML 2.0 with FAS

I used the blog from Carl as quideline  https://www.carlstalhood.com/citrix-federated-authentication-service-saml/
 

 

Environment: (All servers are Windows 2016)

Domain A. contains
recource.local

 

0. Citrix NetScaler

1. Domain controller / Enterprise CA
2. Delivery Controller
3. StoreFront
4. FAS
5. XENAPP 1801

 

 

Domain B. contains
trusted.local

1. Domain controller
2. XENAPP 1801

 

a two way domain trust is inplace
 

[WORKING] Login into the VDA in the recource domain is working as is should with SAML / FAS

[NOT WORKING ] When i want to login into the VDA in the trusted domain it fails and the error message below pops-up but. I can confirm, a  certificate is issued in the recource domain for the user in the trusted domain correcly.
 

All needed registry settings are applyed on the VDA in the trusted domain and the trusted root certificate from the recource domain is added into the enterprise store in the trusted domain.

Registry key's
==========

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\ListOfDDCs   | value: storefront FQDN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\ListOfSIDs     | value:  sid from storefront server

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\SupportMultipleForest | value: 1

 

Policy Setting:

 

Error message in EVENT LOG on VDA XENAPP 1801 (trusted domain)
=====================================================

Log Name:      Application
Source:        Citrix.Authentication.IdentityAssertion
Date:          3/29/2019 2:48:07 PM
Event ID:      104
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      VDA.trusted.local
Description:
[S104] Identity Assertion Logon failed.  Failed to connect to Federated Authentication Service: UserCredentialService [Address: FAS.recource.local][Index: 0] [Error: SOAP security negotiation with 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' for target 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' failed. See inner exception for more details. 
Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Citrix.Authentication.UserCredentialServices.IConvertCredentials.GetConvertCredentialsVersionNumber(Int32 clientVersion)
   at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass31_0.<QueryLogonMethod>b__0()]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix.Authentication.IdentityAssertion" />
    <EventID Qualifiers="0">104</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-03-29T13:48:07.989377900Z" />
    <EventRecordID>31117</EventRecordID>
    <Channel>Application</Channel>
    <Computer>win5863.trusted.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>[S104] Identity Assertion Logon failed.  Failed to connect to Federated Authentication Service: UserCredentialService [Address: FAS.recource.local][Index: 0] [Error: SOAP security negotiation with 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' for target 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' failed. See inner exception for more details. 
Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at Citrix.Authentication.UserCredentialServices.IConvertCredentials.GetConvertCredentialsVersionNumber(Int32 clientVersion)
   at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.&lt;&gt;c__DisplayClass31_0.&lt;QueryLogonMethod&gt;b__0()]</Data>
  </EventData>
</Event>

[David Loader1709162573]

Hello Andreas
I came across this post when search the same error, to my disappointment there are no replies on it.

I have a similar setup as you have described. Did you resolve this somehow? If so, could you please share what you did?

[Sivaraj Balraj]

Exactly same, citrix support please assist on the above issue,

[Julian Jakob]

Hello, when you're getting "SOAP security negotiation ... failed" mostly it's related to one of the following issues:

 

- What happens when you browse to http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider from your VDA? Is there a page showing up, so the connection via Port 80 is working fine and there are no Proxies between the communication?
 

- Check your Kerberos Settings between your Trusts -> (Heres VDA registration, you can ignore this as VDA to FAS is using the same) https://support.citrix.com/article/CTX272352/cloud-vda-registration-failure-error-id-1023-broker-proxy-failed-to-communicate-with-the-cloud-ddc 

Hope this helps

[Santos Benito Herreros]

Hi

 

In  my case was dificult find a solution, but finnaly I can did  it.

I am going post it here if is usefull for more people.
The only solution in my case is to use: Kerberos Forest Search Order to configure it in KDC
The problem with this is that we have so many requests that if we use KFSO it could cause a denial of service problem as indicated by MS in its documentation.
To do this, I have done something similar but instead of configuring KDC (Domain controllers), it has been configured in the client part of Kerberos (Client) for those VDAS that are going to use the FAS.

 

These are the GPOs. As I say, in my case I only used the Kerberos one, applying it only to the VDAS that use the FAS service:

 

Computer Configuration \ Administrative Templates \ System \ Kerberos \ Use Forest Search Order

Computer Configuration \ Administrative Templates \ System \ KDC \ Use Forest Search Order