Error: Event ID 107 Citrix.Authentication.IdentityAssertion. User loses access to mapped network drives after they reconnect to disconnected session

Error: Event ID 107 Citrix.Authentication.IdentityAssertion. User loses access to mapped network drives after they reconnect to disconnected session

book

Article ID: CTX255423

calendar_today

Updated On:

Description

You may see event ID 107 Citrix.Authentication.IdentityAssertion on VDA with FAS [Federated Authentication Service] configured. User loses access to mapped network drives after they reconnect to disconnected  session after 10 hours

Details of the event:

Event ID 107 Citrix.Authentication.IdentityAssertion 

[S107] HdxCredentialSelector::PerformCertificateHash() Failed: [Error: Access Denied 
Server stack trace: 
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) 
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) 
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) 
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) 

Exception rethrown at [0]: 
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) 
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 
at Citrix.Authentication.UserCredentialServices.ILogonCsp.SignHash(String cookie, String containerName, Int32 keyNumber, Int32 hashId, Byte[] hashToBeSigned) 
at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.<>c__DisplayClass14.<PerformCertificateHash>b__13()]

Resolution

1. Open command prompt on VDA and run klist command.
2. Check the "Renew Time" value on cached Ticket #0. The default value should be 7 days:



​​​​​
3. Disable this specific option into the Default Domain GPO:

4. Create a new GPO at a domain level and enforce it. Set the Maximum lifetime for user ticket renewal to 7 days:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy


5. Run gpupdate /force, then Log off from the VDA and login again to force a ticket renewal. When running the klist command, the desired value is now properly:

 

Problem Cause

The Kerberos renew ticket time expired in 10 hours which disallowed the kerberos ticket to be renewed after it expired after 10 hours.
Powered by Wolken Software