https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# citrix-vad
s
This message was deleted.
r
It's all working fine on my server 2019 VDAs, but server 2022 VDAs it's asking me for login after I connect from WSA. Don't see any assertion errors in FAS or anything.. it's just... not working
r
its not a problem because you are using 2022 alone. That shoudl work fine.
r
Thanks, that's really what I needed confirmation of.
FAS server shows up in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses just fine... πŸ€·β€β™‚οΈ
FAS is set to Domain Computers. Not rocket science here.
h
I would say take a look at the template version of the smartcard logon which is being used
update the template to the highest version in ADCS
r
look in the event logs for errors. Is this workspace or storefront?
r
Storefront. Not a bad thought Henry.
r
are your vdas in teh correct ou to get the fas gpo
r
FAS server shows up in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses just fine...
r
are the vdas in the same domain
r
yeah
[S105] Server [VC3_CAE\VC3-XDC-02$] issued identity assertion [upn: gallierr@vc3.com, role default, Security Context: []].
FAS says it got it fine as well
r
make sure you dont have porompt for password enabled in a gpo
r
yup, have that too. and validated it was on the VDA
r
k
r
@Henrik Simonsen Hmmm... Not sure I know where to update that smartcard template?
h
In the ADCS console from the CA which you are using
r
yup, i'm in there
h
you can edit the templates and see the version being used
r
are the servers in the same subnet as the 2019 servers
r
yes, same subnet
Citrix_SmartcarLogon version 1.0
h
hold one that's not what I mean
the templates being used have nothing to do with FAS that is only a shell ontop of the ADCS functionality of Microsoft which certificate template you are using
I'll put in a screen
r
Thanks, I guess I don't follow
h
default it's all no good
r
ahhh, yes, mine is set on 2003
h
so you might have an O/S dependant item now regarding the VDA differences as well, so I would check what the changes are and update the CA and CLIENT values of the template to the highest
r
I just set it to 2016/2016
h
this can all be reverted as well with the same clicks, just keep in mind these templates are stored in ADDS - Sites and Services so wait for a full replication before a new test
r
nods
Thanks, I will test in a bit
βœ… 1
h
and also do a check on the KDC part of ADDS and the VDA servers, perhaps via wireshark. Could also be that there is an older encryption type in use like rc4 etc. Cloud VDA Registration Failure Error ID 1023: "Broker Proxy failed to communicate with the cloud DDC." (citrix.com)
r
Checking that as well. Updating the cert template didn't seem to help
I guess it's ticket time. Sigh...
If anyone is/was following along, it's Duo. That's the difference here. I had the Duo Windows Authentication Client installed, and THAT's forcing the second login to the system
βœ”οΈ 2
h
Ah yes that explains duo intercepts GINA
r
Man, I need to figure out how to intercept admin logins and MFA them... ughhh
well, at least I figured it out
We have console access to these systems through our RMM tool, and these admin logins need MFA. htf to make this work and not break FAS.
h
Would open up a case with duo to confirm with your use case, otherwise perhaps isolate a desktop pool for this users as a jump host scenario
r
or, remove my RMM from them, and disable RDP access....
h
Yup also a plan
r
"nothing's easy"
h
But first double check with duo perhaps it’s a known issue
r
yup, on it
They certainly have an old case regarding this, with no resolution. They have escalated to DevOps.
πŸ‘€ 1
Dennis Parker figured this one out. I added a couple entries to HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv\ProvidersWhitelist {1D7BE727-4560-4adf-9ED8-5EEC78C6ECFF} {81C8E4DC-B376-4D88-BCCD-BD0DD65BEE2B}
βœ… 1
Open in Slack
PreviousNext
Powered by