Symptoms
Launching a published desktop fails when TrueSSO is enabled with an error "The request is Not Supported." and a status of "Reported authentication failure. Status=0xC00000BB".
The below error may be seen recorded in the Kerberos event logs on the agent desktop when attempting to launch:
0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
In the Horizon View Agent logs, you see log lines similar to the ones below:Please reference Location of Horizon (VDM) log files (1027744) for details on log file location.
2018-05-30T15:38:10.505+12:00 INFO (1350-12A4) <4772> [LogonUI] vmlm - wscredf Sending SSO_END
2018-05-30T15:38:10.505+12:00 WARN (1350-12A4) <4772> [LogonUI] cred::ReportResult(): Reported authentication failure. Status=0xC00000BB (WinErr=50) and subStatus=0x00000000 (WinErr=0).
Status : The request is not supported.
subStatus : The operation completed successfully.
2018-05-30T15:38:10.505+12:00 DEBUG (1350-12A4) <4772> [LogonUI] `anonymous-namespace'::SignalUnityEvent: Successfully opened event vmwarewsnm\NotReadyForUnity1. Signaling it now.
2018-05-30T15:38:10.509+12:00 DEBUG (1350-12A4) <4772> [LogonUI] cred::ReportResult(): Returned error 'The request is not supported.'
Purpose
This KB is to highlight a specific issue with TrueSSO where The authenticating domain controller is not configured for smartcard logons.Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
For more detail please reference: Common configuration issues and guidelines with TrueSSO (90037)
Cause
The authenticating domain controller is not configured for smartcard logons.
Resolution
You need to have the Domain Controller Authentication certificate on all the domain controllers.Steps to Enroll a Domain Controller Authentication certificate:
On the domain controller, open mmc.Click File and then Add/Remove Snap-in.Select Certificates, click Add, then select Computer account.Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.Press Next.Select Domain Controller Authentication and press Enroll.
Note: If you do not see the Domain Controller Authentication on the Auto Enrollment in the Domain Controller certificate MMC, you will need to go to the Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give appropriate AutoEnroll permissions.
