Incorrect username and password when connecting to the VDAs using FAS SSO

book

Article ID: CTX282785

calendar_today

Updated On:

Description

After adding a secondary FAS server ,CA server to HA configuration, users get "Incorrect username and password" when launching the apps/desktop
Event ID 3 with error code "0x3e KDC_CLIENT_NOT_Trusted" can be seen once the kerberos logging is enabled on the VDA

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

Verify if the certificate for Domain controller is issued by CA, If it is not issued, reissue the certificates for the Domain controllers using "Domain Controller Authentication Template" from CA
Reboot the Domain controllers one by one

If after this steps issue still persists follow https://support.citrix.com/article/CTX219849

Problem Cause

When the certificates for the Domain Controllers are not issued by new CAs, the Domain Controllers will not able to recognize the authentication from VDAs and mark it as unrecognized client

Additional Information

Instructions to add the following registry value to enable the Kerberos logging:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1

More details can be found at : https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"