Troubleshooting HDX session validation error on the Linux VDA

3:58 PM
Troubleshooting HDX session validation error on the Linux VDA -

A special failure you have encountered with the version 1.0 release of Linux VDA engages a dialogue entitled "HDX Session Validation Failure" appears immediately after to start session. This will force a logoff your session after 30 seconds.

HDX Session Validation Failure Dialog
HDX session validation error dialog

may While this issue still occur in the v1.1 release, I am to report happy that the Linux development team VDA improvements to minimize their occurrence. I would also explain how the ability to take, why this error occurs and what can be done to rectify the situation, if you see it.

Why session validation?

an essential part of the session start in a XenDesktop deployment is the process called Swap. This is done by the broker, who is responsible for negotiating Start requirements with work computers. The broker communicates with the broker agent for the employees with the Citrix Brokering Protocol (CBP). He chooses the workers the incoming ICA connections for desktop and application launches to handle on the willingness of workers to fulfill based the start request. To ensure that the start is safe, CBP requires the broker to provide users with their specific sessions. This user-to-session club is achieved by the Broker Agent checks each user spend that is logged.

. For the Linux VDA, the broker agent needs access to the Kerberos credentials of the user for impersonation during the session validation This requires the system environment can be configured in a simple flat file format to cache Kerberos credentials. If the broker agent is not access the cache file for the user to a meeting in a position, the above dialog is shown immediately after the session starts, and then the session is terminated 30 seconds later.

Solving Session validation failures

a few diagnostic tests There you can perform to locate the cause of session validation errors. The checks from me sketched relate connected to a machine with RHEL7 Winbind AD. You will notice that the controls for Centrify Direct Control or Quest similar conduct.

Your session around diagnosing

I recommend the following commands is executed in an HDX session that has session could not be validated before it is signed off by force. I usually take a screenshot of the results given the 30-second time

  • is cached Kerberos tickets for your user account by :.
  klist  
  • Search / tmp owned for possible credential files caches your account:
  ls -al / tmp / * krb5 | grep `id -u`  
  • Check whether the KRB5CCNAME environment variable is set by executing:
  env | grep KRB5  

When the timeout is proving too quickly, you can use the same commands for the same user account with Secure Shell (SSH) or another remote login program running. Except KRB5CCNAME environment variable, the results should be the same as for HDX.

The analysis of the results

check for expired tickets

Let's start "klist" in the search output. Here is the output of my work is RHEL7 machine. If "klist" has successfully displayed the ticket cache, check klist the expiration time of the ticket

  $ ticket cache :. FILE: / tmp / krb5cc_16777216 Standard main: kingsleyc@MYDOMAIN.COM Valid Start  Runs  SPN 10/20/15 09:52:32  20/10/15 19:52:32  krbtgt / MYDOMAIN.COM @ MYDOMAIN.COM renew until 27/10/15 09:52:32 20/10/15 09:52:32 20/10/15 19:52:32 MYRHEL7$@MYDOMAIN.COM renew until 10/27/15 09:52:32  

If you find that your ticket has expired, has Winbind failed to upgrade your ticket cache. In this case:

  • Check if /etc/samba/smb.conf has:
  winbind refresh tickets = true  
  • to delete the existing ticket cache file:
  sudo rm -f / tmp / krb5cc_16777216  

this is often sufficient , to solve the problem. The cache file will be created again on the next login.

Check for missing ticket cache

With Session validation errors, I often see "klist" with an error message stating that the cache file was not found

  $ klist klist.  

This error is generally caused by incorrect Kerberos or AD integration caused Settings Credentials cache file / tmp / krb5cc_16777216 'not found on your computer. I will deal this later in this blog closer.

check for an inaccessible ticket cache

In rare cases, "klist" fails when user does not have permission to access their own cache file.

  $ klist klist: Permissions Cache Credentials wrong  

This error can be caused by an administrator running:

  sudo kinit -p   

This creates a cache file for the specified user are root. To eliminate this error, verify that the cache file belongs to the user. This is the reason for the execution of "ls" earlier

  $ ls -al / tmp / * * krb5. | grep `id -u` -rw -------. 1 MYDOMAIN  kingsleyc root 4001 20 October 10.46 / tmp / krb5cc_16777216  

to delete the ticket cache file if it is one to find another user. This is usually sufficient to correct the problem and the cache file will be created again on the next login.

Check whether the KRB5CCNAME set environment variable

The KRB5CCNAME environment variable is usually through a series Pluggable Authentication Modules (PAM) "aware" program on the successful registration by a user. This environment variable should refer to the user's ticket cache file:

  $ env | grep KRB5 KRB5CCNAME = FILE: / tmp / krb5cc_16777216  

The Linux VDA is PAM "aware" and encourages all PAM associated with environment variables on a successful login. This includes the KRB5CCNAME environment variable. However, there are cases in which PAM will fail to set the environment variable KRB5CCNAME after the user has been successfully authenticated. This happens when the clock skew between the Linux VDA machine and the AD server is excessive

Here is an excerpt from pam_winbind.conf which mentions the clock skew in the description of "krb5_auth" option .:

pam_winbind can authenticate using Kerberos when winbindd speaks to an Active Directory domain controller. Kerberos authentication must be activated with this parameter. If Kerberos authentication can not succeed (eg by clock skew), winbindd is to SamLogon authentication over MSRPC relapse. If this parameter is used in conjunction with winbind refresh tickets, winbind Your Ticket keep Granting Ticket (TGT) uptodate by updating it as needed. The default is "No".

is the number reverts to "SamLogon" authentication, the Kerberos credential cache file irrelevant and therefore there is no need to set the environment variable KRB5CCNAME. The v1.1 release of broker agent relies find the ticket cache file on this variable. Without the variable of broker agent will access the cache file to open provided it is a known file name format has. This is not always successful.

In general, if your machine from timing shift is suffering, the broker agent will not register with the broker. However, I have rarely seen, where registration is despite the timing shift succeeded. If you suspect that you have experienced this, you can confirm that Winbind fail Kerberos authentication by enabling debug logging for PAM. Modify the file / etc / pam.d / password auth file (contained by /etc/pam.d/ctxhdx) by adding "debug" on the "Auth" line for "pam_winbind.so" module :

  #% PAM-1.0 # This file is automatically generated. # User changes will be destroyed the next time is running authconfig. Auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass Auth required pam_succeed_if.so uid> = 1000 quiet_success  Auth sufficient pam_winbind.so use_first_pass debug  Auth pam_deny.so Account Required Required pam_unix.so broken_shadow  

If PAM fails adjust KRB5CCNAME environment variable due to clock skew, a message is displayed, as shown in the following either / var / log / secure or / var / log / messages:

  October 19 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind (ctxhdx: auth): Make sure users 'MYDOMAIN  kingsleyc' 19 October 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind (ctxhdx: auth): CONFIG file: krb5_ccache_type 'FILE' October 19 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind (ctxhdx: auth): enabling krb5 login flag 19 October 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind ( wbcLogonUser Request succeeded October 19 14:27:36 myrhel7 citrix-ctxlogin [: ctxhdx: auth): Thus, the request for a cache file krb5 October 19 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind (ctxhdx: auth) [7771]: pam_winbind (ctxhdx: auth): user 'MYDOMAIN  kingsleyc "granted access  19 October 14:27:36 myrhel7 citrix-ctxlogin [7771]: pam_winbind (ctxhdx: auth): user MYDOMAIN  kingsleyc: pM skew when krb5 TGT  19 October 14:27:36 myrhel7 citrix-ctxlogin get [7771]: pam_winbind (ctxhdx: auth): Returned user MYDOMAIN  kingsleyc ' 

to was reading "Configure Clock synchronization "and" Fix time synchronization "sections of the installation manual of this clock skew problem to solve.

correction misconfiguration

Earlier I mentioned that the lack of ticket cache files are often the result of incorrect Kerberos or AD integration settings on the Linux machine VDA. In addition to the guidance instructions to install check, I recommend that you run Linux XDPing to identify misconfigured settings. The culprit is a misconfigured KRB5CCNAME type setting generally. This will be highlighted by XDPing, as shown below:

   Kerberos -------------------------- - -------------------------------------------  Kerberos version: 5  ensure Kerberos available [Pass]   ensure Kerberos version 5 [Pass]  KRB5CCNAME: Keyring: persistent: 16777216 KRB5CCNAME type: [NOT SUPPORTED] kernel keyring credential cache not support  ensure KRB5CCNAME cache enter [ERROR]  The Kerberos environment variable KRB5CCNAME is an unsupported credential cache type. Only credential cache files are supported by Linux VDA; DIR, MEMORY and KEYRING credential cache types are not supported. Configuration file: /etc/krb5.conf [Exists]  

When this error occurs, you need to check a few settings, in particular the KRB5CCNAME type for Kerberos and AD integration tool configured on your Linux VDA Machine. On my Winbind RHEL7 setup I perform usually the following:

  1. Ensure that Kerberos tickets both keytab secrets TDB file and system use verified. This includes the "kerberos method" setting configuration in /etc/samba/smb.conf.
  [global] # - authconfig - Start-line-- # generated by authconfig to 2015.09 .17 15:41:55 # EDIT THIS SECTION (limited by --start-line - / - End-line--) # Any change can be deleted or modified by authconfig in future workgroup = EDASYDNEY password server = syddjasper01.edasydney. CTXS realm = EDASYDNEY.CTXS security = ads idmap Config *: range = 16777216-33554431 template shell = / bin / bash winbind use default domain = false winbind offline logon = false # - authconfig - -line-- end  kerberos method = secrets and keytab  winbind refresh tickets = true  

the "authconfig" tool generates this section of the file, as shown above. You will notice that this contains the "kerberos method" setting. I recommend "kerberos" method from the generated section is moved, as I have done it accidentally changing it to avoid when running "authconfig" again.

  1. Make sure that "krb5_auth" and "krb5_ccache_type" configuration settings are correct in /etc/security/pam_winbind.conf. capable
    • "krb5_auth" should be set to "yes"
    • "krb5_ccache_type" should have a "FILE" Request krb5 credential cache type .. On newer Linux kernel platforms keyrings: In particular, the following applies to implement the use of credential cache, this setting can be pre-assigned by the provider to "KEYRING".
  # # pam_winbind configuration file no # turn debug to extended PAM state debugging = ;; # # # /etc/security/pam_winbind.conf [global] # turn debug_state on debugging = no request # a cached login if possible # (must "winbind offline logon = yes" in smb.conf); cached_login = no  # authenticate with kerberos krb5_auth = yes # if kerberos, ask krb5 # (leave blank to just do krb5 authentication but no ticket # have it) a "file" credential cache type krb5_ccache_type = file  # make successful authentication through membership in a SID  
  1. make depending sure the "default_ccache_name" configuration setting in /etc/krb5.conf not indicating a contradictory KRB5CCNAME type that in /etc/security/pam_winbind.conf. I recommend to delete this if it is given or it is the same as for making pam_winbind.conf
  2. Finally, the Winbind services remember to restart if you have made any configuration changes .:
  sudo / usr / bin / systemctl winbind restart  

Well, that's all for VDA troubleshooting session validation failures in Linux. I hope you now have some insight into validation failures solution whenever you encounter in the wild.

more of the Linux Virtual Read Desktop Team, you should check all of our posts here .

Previous
Next Post »
0 Komentar