Andreas Daalder1709160649 Posted March 30, 2019 Share Posted March 30, 2019 Hello @all, Hope someone can help me with my multidomain Citrix Setup issue. I have a multidomain setup and a issue with login into XENAPP in a trusted domain via OKTA / SAML 2.0 with FAS I used the blog from Carl as quideline https://www.carlstalhood.com/citrix-federated-authentication-service-saml/ Environment: (All servers are Windows 2016) Domain A. containsrecource.local 0. Citrix NetScaler 1. Domain controller / Enterprise CA 2. Delivery Controller 3. StoreFront 4. FAS 5. XENAPP 1801 Domain B. containstrusted.local 1. Domain controller 2. XENAPP 1801 a two way domain trust is inplace [WORKING] Login into the VDA in the recource domain is working as is should with SAML / FAS [NOT WORKING ] When i want to login into the VDA in the trusted domain it fails and the error message below pops-up but. I can confirm, a certificate is issued in the recource domain for the user in the trusted domain correcly. All needed registry settings are applyed on the VDA in the trusted domain and the trusted root certificate from the recource domain is added into the enterprise store in the trusted domain. Registry key's ========== HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\ListOfDDCs | value: storefront FQDN HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\ListOfSIDs | value: sid from storefront server HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\VirtualDesktopAgent\SupportMultipleForest | value: 1 Policy Setting: Error message in EVENT LOG on VDA XENAPP 1801 (trusted domain) ===================================================== Log Name: Application Source: Citrix.Authentication.IdentityAssertion Date: 3/29/2019 2:48:07 PM Event ID: 104 Task Category: None Level: Error Keywords: Classic User: N/A Computer: VDA.trusted.local Description: [S104] Identity Assertion Logon failed. Failed to connect to Federated Authentication Service: UserCredentialService [Address: FAS.recource.local][Index: 0] [Error: SOAP security negotiation with 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' for target 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' failed. See inner exception for more details. Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Citrix.Authentication.UserCredentialServices.IConvertCredentials.GetConvertCredentialsVersionNumber(Int32 clientVersion) at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass31_0.<QueryLogonMethod>b__0()] Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Citrix.Authentication.IdentityAssertion" /> <EventID Qualifiers="0">104</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2019-03-29T13:48:07.989377900Z" /> <EventRecordID>31117</EventRecordID> <Channel>Application</Channel> <Computer>win5863.trusted.local</Computer> <Security /> </System> <EventData> <Data>[S104] Identity Assertion Logon failed. Failed to connect to Federated Authentication Service: UserCredentialService [Address: FAS.recource.local][Index: 0] [Error: SOAP security negotiation with 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' for target 'http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider' failed. See inner exception for more details. Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Citrix.Authentication.UserCredentialServices.IConvertCredentials.GetConvertCredentialsVersionNumber(Int32 clientVersion) at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass31_0.<QueryLogonMethod>b__0()]</Data> </EventData> </Event> Link to comment Share on other sites More sharing options...
David Loader1709162573 Posted March 10, 2022 Share Posted March 10, 2022 Hello Andreas I came across this post when search the same error, to my disappointment there are no replies on it. I have a similar setup as you have described. Did you resolve this somehow? If so, could you please share what you did? 1 Link to comment Share on other sites More sharing options...
Sivaraj Balraj Posted December 9, 2022 Share Posted December 9, 2022 Exactly same, citrix support please assist on the above issue, Link to comment Share on other sites More sharing options...
Julian Jakob Posted January 3, 2023 Share Posted January 3, 2023 Hello, when you're getting "SOAP security negotiation ... failed" mostly it's related to one of the following issues: - What happens when you browse to http://FAS.recource.local/CitrixUserCredentialService/IdentityProvider from your VDA? Is there a page showing up, so the connection via Port 80 is working fine and there are no Proxies between the communication? - Check your Kerberos Settings between your Trusts -> (Heres VDA registration, you can ignore this as VDA to FAS is using the same) https://support.citrix.com/article/CTX272352/cloud-vda-registration-failure-error-id-1023-broker-proxy-failed-to-communicate-with-the-cloud-ddc Hope this helps Link to comment Share on other sites More sharing options...
Santos Benito Herreros Posted October 13, 2023 Share Posted October 13, 2023 Hi In my case was dificult find a solution, but finnaly I can did it. I am going post it here if is usefull for more people. The only solution in my case is to use: Kerberos Forest Search Order to configure it in KDC The problem with this is that we have so many requests that if we use KFSO it could cause a denial of service problem as indicated by MS in its documentation. To do this, I have done something similar but instead of configuring KDC (Domain controllers), it has been configured in the client part of Kerberos (Client) for those VDAS that are going to use the FAS. These are the GPOs. As I say, in my case I only used the Kerberos one, applying it only to the VDAS that use the FAS service: Computer Configuration \ Administrative Templates \ System \ Kerberos \ Use Forest Search Order Computer Configuration \ Administrative Templates \ System \ KDC \ Use Forest Search Order Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now