SAML User cannot Login to RDP-Session

Discussion in 'Parallels Remote Application Server' started by JoergT1, Feb 23, 2023.

  1. JoergT1

    JoergT1 Bit poster

    Messages:
    5
    Hi.
    We have setup the SAML Configuration between Parallels RAS 19.x an Azure AD excactly as descriped in the following documents:
    https://kb.parallels.com/124813 and https://kb.parallels.com/124815
    The Authentication works fine with Paralles Client and HTML5 Portal.
    But when we start an applikation, hostet on our RDP-Server, we cant login. We get a error message, that the user/password ist not correkt.

    Realy strange is, that der RDP Log on the RDP-Server listet not the Test-User for SAML rather the NLA-User, created in https://kb.parallels.com/124813 ??

    The RAS Logs Gateway i cant find an error or differences to the SSL Logins without SAML.
    The same test-user works ok with normal Authentication without SAML
     
  2. ChristianH32

    ChristianH32 Member

    Messages:
    20
    Hi,
    have you verfied the logs of NLA Server, did the user receive an Certificate?
    (lines like this
    [I 6D/00000025/T10F4/P0BB4] 10-02-23 10:14:22 - No valid certificate for user xxxxx (DN PATH ) was found. A new certificate needs to be enrolled
    [D 6D/00000028/T10F4/P0BB4] 10-02-23 10:14:23 - The disposition value for the enrollment request of the certificate for user xxxxx is 3.
    [D 6D/00000026/T10F4/P0BB4] 10-02-23 10:14:24 - The current CSP key container info. Container: cb9863f7b71ccfbf65be4997e9c1eace_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: xxxxx
    [D 6D/00000026/T1734/P0BB4] 10-02-23 10:16:05 - Successfully signed the request data. User: xxxxxxxx

    Did you verify the AD integration with RAS Console (Farm > Enrollment Server > AD Integration)?

    On the RDSH we see following login event from NLA User, before the user login:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: RDSH
    Account Domain: CS
    Logon ID: 0x3E7

    Logon Type: 10

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: NLA_USER
    Account Domain: NLAUSERDOMAIN

    Failure Information:
    Failure Reason: The user has not been granted the requested logon type at this machine.
    Status: 0xC000015B
    Sub Status: 0x0

    After this event some cryptographi operations, and the scueessfull logon event of user.

    maybe this helps.
    br
    Chris
     
  3. ChristianH32

    ChristianH32 Member

    Messages:
    20
    Hi,
    mabe some furhter hints:
    Whats your SAML Provider, and did you configure the correct mapping for user Attribute?
    If using AZURE AD you have tho use a custom SAML attribute mapping to AD attribute.
    br
    Chris
     
  4. ChristianH32

    ChristianH32 Member

    Messages:
    20
    HM,
    cannot edit existing post:
    try also to clear cached authentication tokens in RAS Console (Connection > Settings > Clear cached authentication tokens) and retry it.
    br
     
  5. JoergT1

    JoergT1 Bit poster

    Messages:
    5
    Thank you for your tips.
    Today i have controlled the whole konfiguration (exactly step by step) and i compared it with the documentation from version 19.1.
    All steps are correctly.
    And yes, the Domaincontroller has an smartcard-enabled certificate.
    The Kerberos-Log (enabled in Registry) at the domaincontroller has no errors.

    I think we have another problem.
    We not see the receive events for the User-Certificate in the NLA Server Log. But we found the follow lines at this time, when the login fails:
    [W 6D/0000001B/T19B8/P0BB4] 28-02-23 17:43:47 - Read from socket failed (A request to send or receive data was prevented because the socket in that direction had already been shut down by a previous shutdown call. [0x0000274a])

    Have you ever had this error message on the NLA server?
    We have checked the connection between the NLA Server, PKI Server and RD Session Hosts, shutdown the Firewall, and so on...
     
  6. JoergT1

    JoergT1 Bit poster

    Messages:
    5
    I set the Log-Level on the NLA server to "Verbose".
    Now, when the User start a RDP Session with the Parallels Client, following lines I found in the NLA Server Log:

    [T 6D/00000009/T1948/P0BC4] 28-02-23 19:20:19 - Service RAS smart card mini driver connection.
    [T 00/00000000/T1948/P0BC4] 28-02-23 19:20:19 - Started Thread Cert User Logon Thread (id 0x194c handle 1628), threads running 6
    [T 00/00000113/T194C/P0BC4] 28-02-23 19:20:19 - Starting thread process
    [T 00/00000000/T1948/P0BC4] 28-02-23 19:20:19 - Detached thread handle 1628, threads running 5
    [T 6D/0000000B/T194C/P0BC4] 28-02-23 19:20:19 - New RAS Cert Logon connection. IP: 10.1.4.79
    [T 00/00000113/T1948/P0BC4] 28-02-23 19:20:19 - Thread returned value 0
    [T 00/0000013D/T194C/P0BC4] 28-02-23 19:20:19 - 2XXMLSec: Signature is OK.
    [D 6D/00000019/T194C/P0BC4] 28-02-23 19:20:19 - User DN CN=Test\, CA,OU=xxxxx,DC=xxxxxxx,DC=netz escaped. Un-escaped: CN="Test, CA",OU=xxxxx,DC=xxxxx,DC=netz
    [T 00/00000000/T194C/P0BC4] 28-02-23 19:20:19 - Public key sent successfully
    [D 6D/00000019/T194C/P0BC4] 28-02-23 19:20:19 - User DN CN=Test\, CA,OU=xxxxx,DC=xxxxx,DC=netz escaped. Un-escaped: CN="Test, CA",OU=xxxxx,DC=xxxxx,DC=netz
    [D 6D/00000026/T194C/P0BC4] 28-02-23 19:20:19 - The current CSP key container info. Container: 1f93127dff7dc467896b616b39cdd61f_e8e38dde-34e3-4013-8c52-db034a2efdbd Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: catest
    [D 6D/00000026/T194C/P0BC4] 28-02-23 19:20:19 - Successfully signed the request data. User: catest
    [T 00/00000000/T194C/P0BC4] 28-02-23 19:20:19 - OnGetSignatureDigest successful
    [W 6D/0000001B/T194C/P0BC4] 28-02-23 19:20:19 - Read from socket failed (Eine Anforderung zum Senden oder Empfangen von Daten wurde verhindert, da der Socket in diese Richtung bereits durch einen vorangegangenen shutdown-Aufruf heruntergefahren worden war. [0x0000274a])
    [T 6D/0000000B/T194C/P0BC4] 28-02-23 19:20:19 - Closing RAS Cert Logon connection
    [T 00/00000000/T194C/P0BC4] 28-02-23 19:20:19 - Try close socket, handle 000000000000066C
    [T 00/00000113/T194C/P0BC4] 28-02-23 19:20:19 - Thread returned value 0
    [T 6D/0000000B/T10B8/P0BC4] 28-02-23 19:20:20 - Updating counters: Counters Changed
    [T 6D/00000009/T10B8/P0BC4] 28-02-23 19:20:20 - SendDataToController cmd 261
     
  7. ChristianH32

    ChristianH32 Member

    Messages:
    20
    HI,
    sorry, for delay.
    but are you able to verify if the certificate was issued by ca? not sure where, but this look like a connection issue to one of the systems (maybe pki, AD or enrollment server).
    die you verify the necessary firewall ports on CB for enrollment service?
    in past, we run sometimes into issues after upgrading RAS because of missing fw rules. In the meantime we have added GPO with the necessary fw ports for all roles.
    br
    chris
     
  8. ChristianH32

    ChristianH32 Member

    Messages:
    20
    i can have a look tomorrow into our logfiles how it should be when debug mode is enabled.
    br
     
  9. JoergT1

    JoergT1 Bit poster

    Messages:
    5
    Hi.
    ChristianH32, thank you for the tips!!
    For testing, I have by all involved servers the firewall and the AV-Scan deactivated, but the problem still exist.
    I have build a complete new Parallels Infrastruktur with new Windows DC (and Domain Name), PKI, HALB, Azure SAML Config, Registration Server and RD Hosts.
    In this new test enviroment, the SAML Auth and start of Apps has no issues and all functions are as expected.
    In my desperation, I have already monitored the connections with wireshark and compared them with the test environment. But haven't found anything. I am very frustrated.
    In our productiv Enviroment is still the error.:
    [T 00/00000000/T0D00/P0B18] 16-03-23 11:22:22 - Accept connection on socket handle 0000000000000760
    [T 00/00000000/T0D00/P0B18] 16-03-23 11:22:22 - Started Thread Client Thread (id 0xdb4 handle 1796), threads running 21
    [T 00/00000113/T0DB4/P0B18] 16-03-23 11:22:22 - Starting thread process
    [T 00/00000000/T0D00/P0B18] 16-03-23 11:22:22 - Detached thread handle 1796, threads running 20
    [T 6D/00000009/T0DB4/P0B18] 16-03-23 11:22:22 - Service RAS smart card mini driver connection.
    [T 00/00000000/T0DB4/P0B18] 16-03-23 11:22:22 - Started Thread Cert User Logon Thread (id 0x11cc handle 1972), threads running 21
    [T 00/00000113/T11CC/P0B18] 16-03-23 11:22:22 - Starting thread process
    [T 00/00000000/T0DB4/P0B18] 16-03-23 11:22:22 - Detached thread handle 1972, threads running 20
    [T 6D/0000000B/T11CC/P0B18] 16-03-23 11:22:22 - New RAS Cert Logon connection. IP: 10.1.4.78
    [T 00/00000113/T0DB4/P0B18] 16-03-23 11:22:22 - Thread returned value 0
    [T 00/0000013D/T11CC/P0B18] 16-03-23 11:22:22 - 2XXMLSec: Signature is OK.
    [D 6D/00000019/T11CC/P0B18] 16-03-23 11:22:22 - User DN CN=Pan\, Peter,OU=RM Produktion,DC=mydomain,DC=netz escaped. Un-escaped: CN="Pan, Peter",OU=RM Produktion,DC=mydomain,DC=netz
    [T 00/00000000/T11CC/P0B18] 16-03-23 11:22:22 - Public key sent successfully
    [D 6D/00000019/T11CC/P0B18] 16-03-23 11:22:22 - User DN CN=Pan\, Peter,OU=RM Produktion,DC=mydomain,DC=netz escaped. Un-escaped: CN="Pan, Peter",OU=RM Produktion,DC=mydomain,DC=netz
    [D 6D/00000026/T11CC/P0B18] 16-03-23 11:22:22 - The current CSP key container info. Container: 8ef2aaabfc739d9169fac869b6f30c61_a093078b-c15c-4306-aef6-d5a9c0f37fe4 Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: ppan
    [D 6D/00000026/T11CC/P0B18] 16-03-23 11:22:22 - Successfully signed the request data. User: ppan
    [T 00/00000000/T11CC/P0B18] 16-03-23 11:22:22 - OnGetSignatureDigest successful
    [W 6D/0000001B/T11CC/P0B18] 16-03-23 11:22:22 - Read from socket failed (Eine Anforderung zum Senden oder Empfangen von Daten wurde verhindert, da der Socket in diese Richtung bereits durch einen vorangegangenen shutdown-Aufruf heruntergefahren worden war. [0x0000274a])
    [T 6D/0000000B/T11CC/P0B18] 16-03-23 11:22:22 - Closing RAS Cert Logon connection
    [T 00/00000000/T11CC/P0B18] 16-03-23 11:22:22 - Try close socket, handle 0000000000000760
    [T 00/00000113/T11CC/P0B18] 16-03-23 11:22:22 - Thread returned value 0
     
  10. ChristianH32

    ChristianH32 Member

    Messages:
    20
    HI,
    at the moment we are productive on V18.3, in test on V 19.1.2.
    I have added here some lines from prod environment:
    But i recommend to open a ticket at Parallels.

    [T 00/0000013D/T0420/P0A94] 16-03-23 13:20:32 - 2XXMLSec: Signature is OK.
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:32 - Certificate is expired.
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:32 - Invalid certificate for user TEST.
    [I 6D/00000025/T0420/P0A94] 16-03-23 13:20:32 - No valid certificate for user TEST (CN=TEST,OU=DESINMAY,OU=xxx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx) was found. A new certificate needs to be enrolled
    [T 6D/00000017/T0420/P0A94] 16-03-23 13:20:32 - Found certificate using certificate ID. User: enrollment01@xx.xx.xx
    [D 6D/00000028/T0420/P0A94] 16-03-23 13:20:33 - The disposition value for the enrollment request of the certificate for user TEST is 3.
    [D 6D/00000028/T0420/P0A94] 16-03-23 13:20:33 - Disposition message for enrollment request of certificate for user TEST is Issued
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:34 - Public key sent successfully
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:34 - The current CSP key container info. Container: d60ed34c89dac52e8c0cb4c7d14134c0_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: TEST
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:34 - Successfully signed the request data. User: TEST
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:34 - OnGetSignatureDigest successful
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:34 - The current CSP key container info. Container: d60ed34c89dac52e8c0cb4c7d14134c0_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: TEST
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:34 - Successfully signed the request data. User: TEST
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:34 - OnGetSignatureDigest successful
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:35 - The current CSP key container info. Container: d60ed34c89dac52e8c0cb4c7d14134c0_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: TEST
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:35 - Successfully signed the request data. User: TEST
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:35 - OnGetSignatureDigest successful
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:35 - The current CSP key container info. Container: d60ed34c89dac52e8c0cb4c7d14134c0_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: TEST
    [W 6D/00000026/T0420/P0A94] 16-03-23 13:20:35 - Failed to acquire hash handle for hashing algorithm 'Unknown' (ALG_ID - 32780) when signing digest for user 'TEST' (Invalid algorithm specified. [0x80090008])
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:35 - OnGetSignatureDigest successful
    [D 6D/00000026/T0420/P0A94] 16-03-23 13:20:35 - The current CSP key container info. Container: d60ed34c89dac52e8c0cb4c7d14134c0_3c1dea13-5c04-420f-8c91-354090364dbb Provider: Microsoft Strong Cryptographic Provider Provider Type: PROV_RSA_FULL (1) User: TEST
    [T 00/00000000/T0420/P0A94] 16-03-23 13:20:35 - OnGetSignatureDigest successful
    [T 6D/0000001B/T0420/P0A94] 16-03-23 13:20:55 - Read from socket timed out
    [T 6D/0000001B/T0420/P0A94] 16-03-23 13:21:25 - Read from socket timed out
    [T 6D/0000001B/T0420/P0A94] 16-03-23 13:21:35 - Read from socket timed out
    br
    Chris
     
  11. JoergT1

    JoergT1 Bit poster

    Messages:
    5
    Hey Chris,
    I have cracked it.
    Our Windows CA was very very old. Installed in the past on Windows server 2008, we updated this Machine to 2012R2 and then to 2019.
    I'dont know whats excatly the problem was, but I have completly new install a CA, without backup and restore of the old.
    I have a lot of compared.....
    Sure, we had must update a lot of Server, but now the Parallels SAML completly work as aspected.
    Thank you for your Support.
     

Share This Page