Ubuntu 24.04 VDA 2411 - "Invalid Login" with FAS Enabled

Ubuntu 24.04 VDA 2411 - "Invalid Login" with FAS Enabled

book

Article ID: CTX692832

calendar_today

Updated On:

Description

Users on Ubuntu 24.04 with Citrix VDA 2411 and Federated Authentication Service (FAS) enabled experience "Invalid Login" errors during login attempts.

 

Resolution

To resolve the "Invalid Login" error encountered on Ubuntu 24.04 systems running Citrix VDA 2411 with Federated Authentication Service (FAS) configured, you will need to modify a specific registry setting on the VDA machine.

Steps:

  1. Access the terminal on your Ubuntu 24.04 VDA machine.
  2. Execute the Registry Command:
  3. Run the following command to create the necessary registry key and value:

/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent\Authentication\UserCredentialService" -t "REG_SZ" -v "DigestMethod" -d "SHA256" --force

Explanation:

  • /opt/Citrix/VDA/bin/ctxreg: This is the Citrix registry tool used to modify registry settings on the VDA.
  • create: This specifies that a new registry key or value should be created.
  • -k "HKLM\Software\Citrix\VirtualDesktopAgent\Authentication\UserCredentialService": This specifies the registry key path.
  • -t "REG_SZ": This sets the data type to String (REG_SZ).
  • -v "DigestMethod": This specifies the value name.
  • -d "SHA256": This sets the data value to "SHA256". This value is needed for the VDA to work correctly with FAS in this specific Ubuntu release.
  • --force: This forces the creation of the key and value, even if they already exist.

 

Problem Cause

The "Invalid Login" error observed on Ubuntu 24.04 with Citrix VDA 2411 and FAS configured is due to a compatibility issue related to the pkinit (Public Key Initial Authentication in Kerberos) version.

Specifically:

Older versions of Ubuntu, such as 22.04, utilized pkinit version 1.19.2-2, which was incompatible with the SHA256 digest method.
Ubuntu 24.04 has updated the pkinit version to 1.20.1-6. This newer version is now compatible with the SHA256 digest.
Therefore, the VDA 2411 on Ubuntu 24.04, when configured with FAS, requires the SHA256 digest method to function correctly. The older pkinit version present in prior Ubuntu releases lacked this compatibility, leading to authentication failures. The update to pkinit 1.20.1-6 in Ubuntu 24.04 resolves this incompatibility.

Powered by Wolken Software