Citrix FAS - Incorrect username and password
Article ID: CTX560789
Updated On:
Description
Incorrect username and password (FAS) After launching desktop when users tries to log on.
No error on the certificates, no error in "Application" and "System" in the FAS server.
VDA event logs (Windows logs > Security) and looking for audit failure at the same time as the login failure :
| 0xC000006A | user name is correct but the password is wrong |
| 0XC000006D | This is either due to a bad username or authentication information |
An error like the above, suggests that the certificate validation failed at a domain (Kerberos) level.
Domain controller contained the following error for your userID. EventID: 4771 :
Environment
Resolution
The recommendation: Would be to reach out to Microsoft support or the vendor of the certificate-based authentication, as there seems to be something invalid about this user certificate.
Workaround :
as per https://support.citrix.com/article/CTX217150 put the reg key on the VDA :
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1.
The Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL if the above registry key is configured.
Note: This key should be deleted once the actual issue is resolved
Problem Cause
Certificate validation failed at a domain (Kerberos) level.
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted,
then many fields in this event might not be present.
Issue/Introduction
Additional Information
