/var/log/xdl/vda.log errors 

2022-04-12 16:30:03.490 [ERROR] - RegistrationManager.AttemptRegistrationWithSingleDdc: Registration with http://XXXXXX/Citrix/CdsController/IRegistrar failed. RejectionCode=AgentNotContactable
2022-04-12 16:30:03.490 [TRACE] - REGISTRATION Failed registration: VDA machine SID: S-XX_XX_7, Broker IP: XX, Heartbeat period: 0 Error: AgentNotContactable

DDC CDF errors: 
 

Error,"[TID:1776cbfd-bbf2-11ec-a2d3-97b6debebebe]PrepareSession(S-XX-XXX-XXX): Failed prepare call, exception:System.ServiceModel.Security.MessageSecurityException: The token provider cannot get tokens for target 'http://XX/Citrix/VirtualDesktopAgent/ILaunch'. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details. ---> System.IdentityModel.Tokens.SecurityTokenException: InitializeSecurityContent failed. Ensure the service principal name is correct. ---> System.ComponentModel.Win32Exception: The encryption type requested is not supported by the KDC

TGS request failures in DDC - KRB Error: KRB-ERROR ERR_ETYPE_NOSUPP 


 

Set ms-DSsupportencryptionTypes attribute set to 31 for LVDA computer object in AD.
 

---

Problem Cause

Registration failure can occur if any of the following issues occur 

1.) Underlying Kerberos communication failure - AS request from VDA fails, TGS request from VDA to DDC or TGS request from DDC to VDA fails.
2.) DNS resolution failures from DDC or VDAs. 
3.) Network communication failure between DDC <-> VDA.
4.) Broker service failures in VDAs or DDCs. 

In this particular case,  we could see that DDC was unable to get TGS ticket for the VDA broker service. Wireshark from DDC showed Kerberos failed with  error code 14 - err_ETYPE_NOSUPP . 



Non-working VDA's computer object ms-DSsupportencryptionTypes attribute was not set, but the working VDA computer Object had ms-DSsupportencryptionTypes attribute set to 31.