Linux VDA FAS auth failure pam_krb5 User unable to login

book

Article ID: CTX696483

calendar_today

Updated On:

Description

Linux VDA LTSR 2507 on Citrix Cloud, FAS authentication fails with pam_krb5 errors on domain-joined MCS provisioned machine.

Linux VDA FAS Authentication Fails Due to Missing Server Certificate Chain

Symptoms

Users are unable to log on to Linux Virtual Delivery Agents (VDAs) when Citrix Federated Authentication Service (FAS) is enabled.

Observed symptoms may include:

  • Authentication failures during user logon to Linux VDAs
  • Kerberos PKINIT authentication errors
  • Successful authentication on Windows VDAs, but failures on Linux VDAs
  • No configuration issues detected on the FAS server or Active Directory side

Affected Products

  • Citrix Virtual Apps and Desktops (CVAD)
  • Linux Virtual Delivery Agent (VDA)
  • Citrix Federated Authentication Service (FAS)

Environment

This article is provided for informational purposes only and describes a scenario observed in a specific environment.
The information is based on the product behavior at the time of writing and may not apply to all deployments.

Citrix does not guarantee similar results in every environment. Configuration steps, package versions, and certificate requirements may vary depending on the Linux distribution, Citrix Virtual Apps and Desktops release, and enterprise PKI design.

Citrix recommends validating all changes in a test or staging environment before applying them to production systems.
This article does not replace official product documentation, best practices, or support agreements.

Cause

This issue occurs due to an incomplete Public Key Infrastructure (PKI) trust configuration on the Linux VDA.

In environments where multiple PKIs are in use (for example):

  • One PKI for User Authentication
  • A separate PKI for Server or KDC certificates

the Linux VDA may trust only one certificate chain.

If the server/KDC certificate chain is not present or trusted on the Linux VDA, Kerberos PKINIT validation fails, which prevents FAS authentication from completing successfully.

Linux VDAs require the full certificate trust chain for all PKIs involved in the authentication process.

Resolution

Complete the following steps on the Linux VDA:

1. Verify PKI Trust

Ensure that the Linux VDA trusts all required certificate chains, including:

  • User authentication certificate chain
  • Server/KDC certificate chain

All root and intermediate CA certificates must be correctly installed in the Linux trust store.

2. Install Required Packages

Ensure that the required Kerberos, SSSD, and FAS-related packages are installed.

Typical required packages include:

  • realmd
  • sssd, sssd-tools
  • libnss-sss, libpam-sss
  • adcli
  • oddjob, oddjob-mkhomedir
  • krb5-user, krb5-pkinit
  • libpam-krb5

These packages are required to support Kerberos PKINIT and SSSD-based authentication.

3. Remove winbind (If Installed)

If winbind or Samba-based components are present, remove them to avoid authentication conflicts.

Common conflicting packages include:

  • winbind
  • libnss-winbind
  • libpam-winbind
  • samba

SSSD is the recommended authentication framework for Linux VDA deployments with FAS.

Issue/Introduction

Linux VDA LTSR 2507 Users are unable to log on to Linux Virtual Delivery Agents (VDAs) when Citrix Federated Authentication Service (FAS) is enabled.

Additional Information

Powered by Wolken Software