Incorrect Username and password error when using FAS to single sign on with VDA with event ID 19

Incorrect Username and password error when using FAS to single sign on with VDA with event ID 19

book

Article ID: CTX270737

calendar_today

Updated On:

Description

When launching an ICA session to the VDA with FAS, it fails with an error "The username or password is incorrect". However, the certificate has already reached the VDA as per event ID 106. The certificate can be validated using : https://support.citrix.com/article/CTX219849 . 

The System event logs on the VDA will show below event generated by Security-Kerberos : 

Event ID 19 : 

The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 1.3.6.1.5.2.3.5: Error Code 0xc0000320. The domain administrator will need to obtain a certificate with the KDC EKU for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.

Resolution

  • Go to the Domain Controller certificates
  • Open MMC > Add and remove Snap-ins > Certificates > Local Computer
  • Check if below all are mentioned in the "Intended purpose section" of the Domain Controller certificate in Personal Folder
    • Client Authentication
    • Server Authentication
    • SmartCard Logon
    • KDC Authentiction
  • If not, request a new certificate from MMC with below option checked : 
  • Reboot the VDA and login again

Problem Cause

This is by design behavior. The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. 
Powered by Wolken Software