Cloud VDA Registration Failure Error ID 1023: "Broker Proxy failed to communicate with the cloud DDC."

book

Article ID: CTX272352

calendar_today

Updated On:

Description

VDA failing to register to Cloud Connectors.
VDA Event Viewer Error ID 1023: "The Citrix Desktop Service was refused a connection to the delivery controller"

VDA CDF error:

"Broker Proxy failed to communicate with the cloud DDC."

Cloud Connector CDF error:

BrokerProxyPlugin.LocalTest - Failed to test the VDA communication - System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; for target 'http://10.x.x.x/Citrix/VirtualDesktopAgent/IQueryAgent'; failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed.

Resolution

You may have a cross-forest trust set up, which uses RC4 on the trust relationship. In this case, please refer to https://support.microsoft.com/en-us/help/4492348/kerberos-unsupported-etype-error-when-authenticating-across-trust for more details and a method to configure the trust to use AES128 and AES256 encryption.

A second solution is to enable RC4 Kerberos encryption type on the Connectors through Group Policy:

Navigate to Local Group Policy Editor --> Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options
Select --> Network Security: Configure encryption types allowed for Kerberos
Update Local Security Setting RC4_HMAC_MD5 so box is checked.
Select 'Apply'

Problem Cause

Group Policy was modified on the Cloud Connectors restricting kerberos to only support encryption method AES128_HMAC_SHA1 & AES256_HMAC_SHA1

Kerberos session ticket being denied from the domain controller due to non-supported encryption type.

Error found in trace file: "KRB5KDC_ERR_ETYPE_NOSUPP"

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"