Linux VDA : Users get "Invalid Logon" error when FAS is enabled
Article ID: CTX322129
Updated On:
Description
- Users get "Invalid Logon" error during launch of Citrix Session.
- /var/log/xdl/hdx.log throws following error
2021-06-01 13:30:53.736 <P13857:S8> citrix-ctxlogin: : pam_authenticate err,can retry for use
- pam_krb5 module fails to succeed, following error is seen in /var/log/messages
pam_krb5[XXXX]: authentication fails for 'USER' (USER): Authentication failure (Decrypt integrity check failed)
Resolution
Add hostnames of all KDCs of the domain to pkinit_kdc_hostname in /etc/krb5.conf file.
pam_krb5 will not recognize those KDC certificates which is not mentioned as part of pkinit_kdc_hostname.
kdc = dc1.example.local auth_to_local = RULE:[1:$1@$0] pkinit_kdc_hostname = dc1.example.local pkinit_kdc_hostname = dc2.example.local pkinit_kdc_hostname = dc3.example.local pkinit_kdc_hostname = dc4.example.local pkinit_anchors = DIR:/etc/pki/CA/certs/ pkinit_eku_checking = kpServerAuth pkinit_cert_match = ||<EKU>msScLogin,<KU>digitalSignature
Problem Cause
Required pkinit configuration missing in /etc/krb5.confpam_krb5 will not recognize those KDC certificates which is not mentioned as part of pkinit_kdc_hostname.
Additional Information
Was this article helpful?
Yes
No
Powered by
