Citrix FAS Issue: "The request is not supported" when launching a session. Working on a migration from on-prem to Citrix Daas. Fas in use without issue for the on-prem environment. New environment is Citrix Daas and Azure resource location with FAS servers in Azure also. PKI Infrastructure is on-prem still. FAS servers in Az authorised to Citrix cloud and using the same CA's as on-prem. Kerberos Logging enabled on the VDA and seeing error “KDC_ERR_PADATA_TYPE_NOSUPP” mentioned here - https://www.citrix.com/blogs/2019/04/24/troubleshooting-the-federated-authentication-service/ and here but with event id 3 instead of event id 9 - https://www.ferroquesystems.com/resource/issue-citrix-fas-sso-incorrect-username-or-password-kerberos-event-id-9/. Has anybody seen similar or got any ideas? Thanks.

Are you using storefront or workspace?

workspace

Can the cloud connectors talk to the fas servers on port 80? Also does you gpo on the fas servers match the one on your vdas?

@Rob Zylowski the cloud connectors do not need to contact the FAS servers. GPO/registry settings would be the first thing to check.

I usually see this if the AD boxes don't have proper certs from the same CA as the FAS servers.

Will double check the GPO is applied to FAS servers, i know it is applied correctly to the VDA's. @Jeff Riechers yeah, this is where i think the issue might be but failing to spot anything yet.

But if it was working before wiht the same CAs then the DCs should have the kerberos certs

not sure if FAS will talk to local DCs in Az compare to on-prem FAS (working) talking to local DC's on-prem. Certs may not be matching up across both locations. CA's also on-prem only.

According to the notes you need the certs on all DCs

@Nathanael Davison Doesnt workspace need to talk to the FAS servers via WCF on 80 via the Cloud Connectors?

spotted this one also, checking DC's now.

FAS has a direct connection to the cloud - it doesn't go via Cloud Connectors.

Oh thanks I never knew that. Need to update my diagrams 🙂

No errors on FAS server. Kerberos logging on the VDA shows event id 3 with “KDC_ERR_PADATA_TYPE_NOSUPP”. On the DC i do see an error like the one you mentioned - event id 29.

Well not present on all means luck of the draw. They are absolutely required. There are two possible certs though the domain controller cert and Kerberos cert and they need to on;cude smartcard auth. You would want to use the kerberos one.

Understood.

maybe this one are you using new CAs for this? https://support.citrix.com/external/article?articleUrl=CTX238881-federated-authenticat[…]unch-app-invalid-user-name-or-wrong-password&language=en_US

Make sure that pkiview.msc is good and the AIA/CRL are in place and reachable, validate the entire chain to be trusted root/int/issueing in the domain, check valid Kerberos authentication templates from ADCS on all domain controllers being used, also validate the container options in pkiview that ntauth is filled with the issueing ca of the Kerberos template

Update: Issue was down to the fact that the cloud based DC's were running server core so the certs had been imported to the DC using a remote MMC console which meant they were missing the private key. Re-importing the certs using the local cli of the DC resolved the issue. Thanks all for the assist!

My advise should be that auto enrollment for the DC's should be checked, this should not be a manual task.