Can't complete your request with SAML enabled in a Single Domain

Can't complete your request with SAML enabled in a Single Domain

book

Article ID: CTX584014

calendar_today

Updated On:

Description

  • Can't complete your request when logon Netscaler Gateway using UPN name with SAML enabled.
  • On Storefront event log, we can see "An authentication attempt was made for user: username@domainname.com.cn  with realm context <unknown> resulting in: Failed -1073741715"
  • In Storefront Verbose log, we can see "Kerberos authentication: Failed. Authentication Status: C000006D Sub-status: 0000 [The attempted logon is invalid. This is either due to a bad username or authentication information.]"   
  • In network log of storefront we can see KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN when trying to authenticate with Domain Controller.

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

 
  1. Log in to Windows Server with a domain administrator account.
  2. Open Server Manager using the icon on the desktop taskbar, or from the Start screen.
  3. Select Active Directory Domains and Trusts from the Tools menu.
  4. In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane and select Properties from the menu.
  5. In the dialog box on the UPN Suffixes tab, type the name of the suffix that you would like to add to your AD forest in the Alternate UPN suffixes box.
  6. Click Add and then OK.
  7. Close the Active Directory Domains and Trusts console.

To change the user logon name for the domain user to use it as a shadow account
  1. Log in to Windows Server with a domain administrator account.
  2. Open Server Manager using the icon on the desktop taskbar, or from the Start screen.
  3. Select Active Directory Users and Computers from the Tools menu.
  4. Find the user that is used to create shadow account.
  5. Right click to select properties under Account table.
  6. Change the User logon name to the name of SAML user account name, for example the SAML user account name is a@domain.com, the User logon name should be "a".

Problem Cause

  • When storefront use SAML user account to map the user in current domain,no mapped account is found in current domain and return error KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
  • In a network trace, you may see multiple requests with PaData Type PA-PAC-REQUEST (type 128) which fail with errors KDC_ERR_C_PRINCIPAL_UNKNOWN (error code 6) or KDC_ERR_PREAUTH_REQUIRED (25). But these are not fatal. Error code 6 for these means that the domain controller to which the request was made does not host the account and the client should choose a different domain controller.

 

Additional Information

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-err-c-principal-unknown-s4u2self-request
Powered by Wolken Software