Linux VDA with FAS enabled fails with "Invalid Login"
Article ID: CTX272163
Updated On:
Description
When trying to login using FAS, during Login, we get the error "Invalid Login". 
Resolution
1) Copy the root Certificate and intermediate certificate to the linux VDA
2) Use openssl command to convert it to pem
openssl x509 -inform der -in root.cer -out root.pem
openssl x509 -inform der -in intercacert.cer -out inter.pem
3) Copy it to /etc/pki/CA/certs/
4) Mention root certificate and intermediate path in /etc/krb5.conf as following
pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem
pkinit_pool = FILE:/etc/pki/CA/certs/inter.pem
2) Use openssl command to convert it to pem
openssl x509 -inform der -in root.cer -out root.pem
openssl x509 -inform der -in intercacert.cer -out inter.pem
3) Copy it to /etc/pki/CA/certs/
4) Mention root certificate and intermediate path in /etc/krb5.conf as following
pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem
pkinit_pool = FILE:/etc/pki/CA/certs/inter.pem
Problem Cause
Intermediate Certificate need to be mentioned in /etc/krb5.conf along with root certificate. Only root certificate was mentioned under pkinit_anchorsAdditional Information
Enable verbose logs for ctxlogin module using the following command
In /var/log/xdl/hdx.log, we can see following
/opt/Citrix/VDA/bin/setlog level login verbose
In /var/log/xdl/hdx.log, we can see following
2020-04-20 17:33:29.921 <P7847:S3> citrix-ctxlogin: get_logon_certificate: exit, get logon certificate success. 2020-04-20 17:33:31.900 <P7847:S3> citrix-ctxlogin: validate_user: pam_authenticate err,can retry for user XXX@XXX.COM 2020-04-20 17:33:31.902 <P7847:S3> citrix-ctxlogin: logout_user: closing session and pam transaction. 2020-04-20 17:33:31.903 <P7847:S3> citrix-ctxlogin: validate_user: Exit (user=XXX@XXX.COM)=INVALID_PASSWORD 2020-04-20 17:33:31.903 <P7847:S3> citrix-ctxlogin: LoginBoxValidate: failed validation of user 'XXX@XXX.COM, INVALID_P'ASSWORD
Was this article helpful?
Yes
No
Powered by
