RAS 19.2.3 - SAML Authentication - Failed to find AD user for XXXXX

Discussion in 'Parallels Remote Application Server' started by JoeR12, Aug 21, 2023.

  1. JoeR12

    JoeR12 Bit poster

    Hi All,
    I'm currently trying to setup RAS 19.2.3 using SAML authentication in a test lab but it seems after a successful logon on our IDP the RAS server is not able to match the NameID attribute that is properly recognized from the SAML assertion with the userPrincipalName AD User attribute. I have manually checked the AD attribute for the user and can even run a Get-ADUser command and filter for the UPN in the SAML assertion and it returns the proper user account in AD. But somehow RAS cannot match the user account. Is there any possibility to enable some enhanced logging from RAS to see how it tries to find the user in AD or does anyone have some inputs what I might be doing wrong?

    RAS Controller Log entries:
    [I 06/00000038/T1784/P0740] 21-08-23 18:39:27 - Agent vmsparalells01.XXXXXXXXXXX.com (Secure Gateway) was enabled. Code AgentState::OK
    [I 06/0000000E/T0CC4/P0740] 21-08-23 18:39:55 - User (f1c54cb4-af1a-4b4f-bc04-fc6fdc988660@XXXXXXXXXXX.com) connected from client (, machine (html5-a84246ab)(FF-FF-A8-42-46-AB) mode Gateway SSL, using OS: HTML5, Client version: 19.2.3 (build 24005).
    [E 72/00000006/T0CC4/P0740] 21-08-23 18:39:55 - SAML - User:'f1c54cb4-af1a-4b4f-bc04-fc6fdc988660@XXXXXXXXXXX.com' - Failed to find AD user for f1c54cb4-af1a-4b4f-bc04-fc6fdc988660@XXXXXXXXXXX.com
    [E 0E/0000002C/T0CC4/P0740] 21-08-23 18:39:55 - SAML: Failed to Identify User from Assertion

    SAML Attribute config:

    Decoded Assertion:

    AD Account Attributes:

    Get-ADUser output:

    Attached Files:

  2. Asmodeus

    Asmodeus Bit poster

    Hey! Might be that UPN is too long? Could you try with smth with 31 symbols or lower?
    Also, probably would be a good idea to submit a support ticket for that.
  3. JosieP

    JosieP Bit poster

    The error message "RAS 19.2.3 - SAML Authentication - Failed to find AD user for XXXXX" suggests that there was an issue with the Security Assertion Markup Language (SAML) authentication process in a system or application referred to as "RAS 19.2.3." This error message typically occurs when the system or application fails to locate an Active Directory (AD) user with the username "XXXXX" during the SAML authentication attempt.

    To troubleshoot and resolve this issue, you can follow these general steps:

    1. Check User Existence in Active Directory:
      • Verify that the user with the username "XXXXX" exists in the Active Directory. Ensure that the username is correctly spelled and formatted.
    2. SAML Configuration:
      • Review the SAML configuration in RAS 19.2.3 to ensure that it is set up correctly. Double-check the identity provider (IdP) settings, including the entity ID, SAML endpoint URLs, and certificate information.
    3. User Attribute Mapping:
      • Ensure that the SAML configuration in RAS 19.2.3 is correctly mapping the user attributes from the SAML assertion to the corresponding AD attributes (e.g., username, email, roles).
    4. User Synchronization:
      • Confirm that user synchronization between RAS 19.2.3 and the Active Directory is functioning as expected. Any changes in user accounts or attributes should be synchronized accurately.
    5. LDAP Search Filters:
      • If LDAP search filters are used in the SAML configuration to locate users in the Active Directory, review and validate the filters to ensure they accurately identify the user "XXXXX."
    6. AD User Permissions:
      • Check the permissions and access rights for the user "XXXXX" in the Active Directory. Ensure that the user has the necessary permissions to access the resources being authenticated through SAML.
    7. Logs and Debugging:
      • Examine the logs and debugging information in RAS 19.2.3 or your SAML authentication system for more detailed error messages or clues about the issue. Logs can provide insights into what went wrong during the authentication process.
    8. Test with Another User:
      • To isolate the issue, try SAML authentication with another user account to see if the problem is specific to the user "XXXXX" or if it's a broader issue with the SAML configuration.
    9. Update or Patch:
      • Check if there are any updates or patches available for RAS 19.2.3. Sometimes, software updates can address authentication-related issues.
    10. Consult Documentation or Support:
      • Consult the documentation and support resources specific to RAS 19.2.3 for guidance on SAML authentication troubleshooting. If necessary, reach out to the support team for assistance.
    Remember to follow best practices for handling sensitive user data and authentication configurations during your troubleshooting process.
  4. PaulChristopher@Parallels

    PaulChristopher@Parallels Product Expert Staff Member

    Hey! Can you please make UPN account name shorter by changing it in the AD users and computers > Account properties?

Share This Page