Users from one AD Domain not able to get FAS user certificates from another trusted domain.

Users from one AD Domain not able to get FAS user certificates from another trusted domain.

book

Article ID: CTX220497

calendar_today

Updated On:

Description

Unable to get a FAS user certificate for users belonging to domain A, the Citrix Servers are part of domain B.
Getting the below error in Event Viewer

"Error: Citrix.Authentication.FederatedAuthenticationService Error 102 

(S102) Server (Domain\StoreFrontServer) failed to assert UPN (abctest@abc.com) (Exception: The user name or password is incorrect. 
at System.Security.Principal.Windowsldentity.KebS4ULogon(String upn, SafeAccessTokenHandle& safeTokenHandIe) 
at System.Security.Principal.Windowsldentity..ctor(String sUserPrincipaIName. String type) 
at System.Security.Principal.Windowsldentity..ctor(String sUserPnncipaIName) 
At Citrix.Authentication.UserCredentialServices.ServerConvertCredentials.CreateCookiesForCertificate(WindowsIdentity caller, 
String upn, SecurityIdentifier sid. RoleConfig roleConfig, String securityContext. Boolean wait)) "

 

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

  1. You need to add the Citrix StoreFront Servers, FAS server and VDA servers from domain B to the Windows Authorization Access Group on Domain A.

Note: 

Default group permission when we have trust enabled on the Windows Authorization Access Group is "NTAUTHORITY\ENTERPRISE DOMAIN CONTROLLERS" ( This is a object for a user or computer from a trusted domain). 

The group will contain the objects which are part of the trusted domains and regarding the authentication piece the objects in this group will have "ReadTokenGroupsGlobalAndUniversal" permissions of the object from Trusted Domains. 
 

Problem Cause

The Citrix StoreFront Servers, FAS server and VDA servers from domain B did not have the  ""ReadTokenGroupsGlobalAndUniversal" permission on the objects in Domain A


 
Powered by Wolken Software