BugZero | VMware BugID 91459 - Kerberos error when using Windows Hello for Busine...

VMware - Defect ID: 91459

Kerberos error when using Windows Hello for Business with Logon as Current User

VMware - Defect ID: 91459

Kerberos error when using Windows Hello for Business with Logon as Current User

Last updated on 3/21/2023

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptoms

When a user logs in to their physical Windows workstation using Windows Hello for Business, and then tries to launch their VDI entitlement with Logon as Current User enabled, authentication will fail with the error message "The attempted logon is invalid. This is either due to a bad username or authentication information. The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem." The following entries are seen in the Horizon Agent logs: YYYY-MM-DDTHH:MM:SS.SSS+HH:MM WARN (1978-2048) <8264> [LogonUI] cred::ReportResult(): Reported authentication failure. Status=0xC000006D (WinErr=1326) and subStatus=0xC0000321 (WinErr=1264). Status : The user name or password is incorrect. subStatus : The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.YYYY-MM-DDTHH:MM:SS.SSS+HH:MM DEBUG (1978-2048) <8264> [LogonUI] cred::ReportResult(): Returned error 'The attempted logon is invalid. This is either due to a bad username or authentication information. The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem.'.

Purpose

This article is to help clarify why this error occurs.

Cause

Currently only Windows Hello for Business with certificate trust is supported with Horizon - see Authentication with Windows Hello for Business Windows Hello for Business has 2 trust models for on-premise deployments and 3 trust models for hybrid / Azure AD deployments. See Microsoft article Deployment and trust models for further information. On-premise deployments can use Key Trust or Certificate Trust, while hybrid / Azure AD deployments can also use Cloud Kerberos Trust. See Comparing key-based and certificate-based authentication. If any other trust model than Certificate Trust is used, it will not work with the Logon as Current User feature.

Impact / Risks

Logon as Current User will fail if WHFB is being leveraged with a different trust model, requiring users to manually enter their credentials.

Resolution

This is a limitation of the current integration with WHFB. Currently there is no resolution.

Workaround

To prevent the logon error, disable the Logon as Current User feature in the Horizon Admin console.

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 91459

Kerberos error when using Windows Hello for Business with Logon as Current User

VMware - Defect ID: 91459

Kerberos error when using Windows Hello for Business with Logon as Current User

Last updated on 3/21/2023

Vendor details

Vendor details

Description

Symptoms

Purpose

Cause

Impact / Risks

Resolution

Workaround

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?