Getting "Request not supported" while launching a published Desktop with FAS enabled
Article ID: CTX218941
Updated On:
Description
- Launching of a published desktop fails when StoreFront server is configured to use FAS.
- You will get an error "Request Not Supported".
- The below error may be seen in Kerberos event logs on the VDA when attempting to launch.
0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
* Kerberos events are logged under System Event logs when Kerberos logging is enabled through Registry. These are the Registry settings for VDA.
Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Type: DWORD
Name: LogLevel
Value: 0x1
Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Type: DWORD
Name: KerbDebuglevel
Value: 0xffffffff
Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Type: DWORD
Name: KdcDebugLevel
Value: 0x1
Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Type: DWORD
Name: KdcExtraLogLevel
Value: 0x1f
Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
You need to have a Kerberos Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.
- On the domain controller, open mmc.
- Click File, Click Add/Remove Snap-in.
- Select Certificates, click Add, then select Computer account.
- Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.
- Press Next.
- Select Kerberos Authentication Certificate Template and press Enroll.
Note: If you do not see the Kerberos Authentication on the Auto Enrollment in the Domain Controler or Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Kerberos Authentication Template and give AutoEnroll permissions.
Note: If you have multiple domain controllers, Admin needs to ensure the DC doing cert validation for user should have domain controller auth certificate in personal store.
Problem Cause
- The domain controller has no certificate issued by the Enterprise PKI component in its computer certificate store.
- This can be confirmed by the event 19 or 29: "The key distribution center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
Issue/Introduction
While launching a published Desktop with FAS getting an error "Request Not Supported".
Additional Information
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service/fas-config-manage/fas-troubleshoot-logon.html#kerberos-logs
Was this article helpful?
Yes
No
Powered by
