Citrix Cloud CVAD 1912 LTSR - VDA Registration failure - Security Support Provider Interface (SSPI) authentication failed

Citrix Cloud CVAD 1912 LTSR - VDA Registration failure - Security Support Provider Interface (SSPI) authentication failed

book

Article ID: CTX335438

calendar_today

Updated On:

Description

You may see VDA failing to register with Cloud Connectors with following error


Error Details: Exception 'Error occurred when attempting to connect to endpoint at address http://<Cloud connector machine name>.<domain name>.local:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://<IP Address>/Citrix/CdsController/IRegistrar' for target 'http://<IP Address>/Citrix/CdsController/IRegistrar' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'HOST/<Cloud connector machine name>.<domain name>.local'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server. Error Details: Exception 'Error occurred when attempting to connect to endpoint at address http://<Cloud connector machine name>.<domain name>.local:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

Resolution

  1. Verify that the VDA and Connector are successfully joined to AD domain. You may need to check SYSTEM event logs for NETLOGON errors.  
  2. Check the AD properties of the connector by running: 

    setspn -L <Cloud Connector machine name>
  3. Check if there is CIS based Hardening done on Cloud Connectors. This may remove the encryption type from Windows security policy: DES CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5
Ensure that RC4_HMAC_MD5 is present at:

Computer configuration> Windows Settings > Security Settings > Security options

Network security: Configure encryption types allowed for Kerberos
 

Problem Cause

System.ServiceModel.Security.SecurityNegotiationException are caused due to Kerberos authentication issue.
Powered by Wolken Software