Pages

Friday, September 30, 2016

Executing “Set-MsolADFSContext -computer” to configure Azure directory federation fails with: “The connection to .domain.com Active Directory Federation Services 2.0 server failed due to invalid credentials.”

Problem

You’ve used the Connect-MsolService cmdlet to connect to the WAAD instance then attempt to execute the Set-MsolADFSContext -computer <ADFSserver>.domain.com command to hook into the local ADFS server but notice that you get the password prompt that doesn’t appear to accept any passwords that you attempt to use:

image

After the second attempt to authenticate, you are presented with the following error:

PS C:\> Set-MsolADFSContext -computer adfs.domain.com
Set-MsolADFSContext : The connection to adfs.domain.com Active Directo
ry Federation Services 2.0 server failed due to invalid credentials.
At line:1 char:20
+ Set-MsolADFSContext <<<<  -computer adfs.domain.com
    + CategoryInfo          : InvalidOperation: (:) [Set-MsolADFSContext], Fed
   erationException
    + FullyQualifiedErrorId : ConnectionToGenevaServerFailed,Microsoft.Online.
   Identity.Federation.Powershell.ContextCredentialsCommand

PS C:\>

image

You’ve ensured that Enable-PSRemoting -force has been executed successfully as outlined in the following KB: https://support.microsoft.com/en-us/kb/2587730

image

You’ve also confirmed that the port 5985 is opened on the firewall as per the following TechNet blog: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/07/the-connection-to-adfs-domain-com-active-directory-federation-services-2-0-server-failed-due-to-invalid-credentials.aspx

You proceed to use the Set-MsolADFSContext cmdlet with the -logfile c:\log.txt switch for more information:

image

… and obtain the following information:

11/16/2015 10:07:37 AM    Command Set-MsolADFSContext invoked.
11/16/2015 10:07:37 AM    Creating ADFS Server PS session.
11/16/2015 10:07:37 AM    ContextCredentialsCommand:CreatePowerShellSessionToGenevaServer: Invoked.
11/16/2015 10:07:37 AM    Creating PS session to 'adfs.domain.com' ADFS server
11/16/2015 10:07:37 AM    Connect using current logged-on user creds.
11/16/2015 10:07:37 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:37 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:38 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:38 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:38 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:38 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:38 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:38 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:38 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:07:39 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:39 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:39 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:39 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:39 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:39 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:39 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:39 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:39 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:07:41 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:07:41 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:07:41 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:07:41 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:07:41 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:07:41 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:07:41 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:07:41 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:07:41 AM    Failure after too many retry attempts...
11/16/2015 10:07:41 AM    Wrong credentials to ADFS Server connection, attempt #'1'
11/16/2015 10:07:41 AM    Prompting the user for 'adfs.domain.com' ADFS Server creds.
11/16/2015 10:07:41 AM    ContextCredentialsCommand:GetServerCredentials: Invoked.
11/16/2015 10:08:04 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:04 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:04 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:04 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:04 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:04 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:04 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:04 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:04 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:08:05 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:05 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:06 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:06 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:06 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:06 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:06 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:06 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:06 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:08:08 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:08 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:08 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:08 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:08 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:08 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:08 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:08 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:08 AM    Failure after too many retry attempts...
11/16/2015 10:08:08 AM    Wrong credentials to ADFS Server connection, attempt #'2'
11/16/2015 10:08:08 AM    Prompting the user for 'adfs.domain.com' ADFS Server creds.
11/16/2015 10:08:08 AM    ContextCredentialsCommand:GetServerCredentials: Invoked.
11/16/2015 10:08:22 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:22 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:23 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:23 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:23 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:23 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:23 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:23 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:23 AM    Going to sleep mode for 1000 milliseconds before reattempt - 2
11/16/2015 10:08:24 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:24 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:24 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:24 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:24 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:24 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:24 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:24 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:24 AM    Going to sleep mode for 2000 milliseconds before reattempt - 3
11/16/2015 10:08:26 AM    Runspace Connection info: Scheme:http Port:5985, AuthenticationType:Default Uri:adfs.domain.com AppName:wsman, Shell:
http://schemas.microsoft.com/powershell/Microsoft.PowerShell
11/16/2015 10:08:26 AM    Connection Uri: http://adfs.domain.com:5985/wsman/
11/16/2015 10:08:26 AM    Opening runspace to 'http://adfs.domain.com:5985/wsman/'
11/16/2015 10:08:26 AM    System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
11/16/2015 10:08:26 AM    fullyQualifiedErrorId: System.Management.Automation.Remoting.PSRemotingDataStructureException
11/16/2015 10:08:26 AM    Command failed: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException: Connecting to remote server adfs.domain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. 
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.ParseAndThrowErrorRecord(ErrorRecord errorRecord, String overRideErrorId)
   at Microsoft.Online.Identity.Federation.Powershell.PowerShellSession.VerifyAndReconnectRunSpacePool()
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.OpenToGenevaServer(PSCredential serverCredential)
   at Microsoft.Online.Identity.Federation.Powershell.ContextCredentialsCommand.<>c__DisplayClass2.<CreatePowerShellSessionToGenevaServer>b__0()
   at Microsoft.Online.Identity.Federation.Powershell.Utility.InvokeOperationWithRetry(Action operation, Type exceptionType, String errorId, Int32 retryCount, Int32 retryWaitTimeInMilliseconds)
11/16/2015 10:08:26 AM    Retry errorId: ConnectionToGenevaServerFailed
11/16/2015 10:08:26 AM    Retry exception: Microsoft.Online.Identity.Federation.Powershell.IdentityFederationException
11/16/2015 10:08:26 AM    Failure after too many retry attempts...
11/16/2015 10:08:26 AM    Wrong credentials to ADFS Server connection, attempt #'3'

Reviewing the event logs of the ADFS server (not the proxy) show that the following Event ID 4 error is logged:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server bmadfs01$. The target name used was HTTP/adfs.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domain.COM) is different from the client domain (domain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Log Name: System

Source: Security-Kerberos

Event ID: 4

Level: Error

image

You’ve reviewed the following forum post and your environment does not exhibit the SPN issue:

https://social.technet.microsoft.com/Forums/windows/en-US/a4c5c787-ea65-4150-8d16-2a19c569a589/enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error-0x80090322?forum=winserverpowershell

Solution

The solution to this issue if none of the above troubleshooting suggestions apply to your environment actually to execute the Set-MsolADFSContext cmdlet using the internal ADFS server’s FQDN rather than the adfs A record you created to reference the server.  The environment I worked in that exhibited this issue had an internal DNS A record adfs that mapped to the internal ADFS server so when the cmdlet was executed referencing this record, it caused the Kerberos error to be thrown and logged.  As simple as this error could be, I find that this question gets asked quite often so I hope this blog post would help those encounter this issue.

Wednesday, September 28, 2016

Attempting to connect to VMware Horizon View virtual desktop through the security server throws the error: “Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.”

Problem

You’ve noticed that the following error is thrown when you attempt to connect to a VMware Horizon View virtual desktop through the security server with the VMware Horizon Client:

Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.

imageimage

The following information is logged in the events:

Severity: Audit failure

Module: Connection Server

Message: Unable to launch from Pool <desktopPoolName> for user domain\username

More Information: Unable to launch from Pool <desktopPoolName> for user domain\username: No co-management availability for protocol PCoIP

image

Attempting to use the Blast protocol from the View client will present a black screen:

image

image

… then thrown the following error:

The connection to the remote computer ended

image

Attempting to use the browser to login:

image

… will briefly present a triangle and exclamation mark for the desktop:

image

Then display the following error:

An error has occurred: {"code":"ETIMEDOUT","errno":"ETIMEDOUT","syscall":"connect","address":"10.34.30.60","port":22443}

image

Solution

One of the reasons why these errors would be thrown is if the following ports are not opened between the Security servers to the virtual desktops:

  • TCP/UDP 4172
  • TCP 22443
  • TCP 32111
  • UDP 22443
  • TCP 9427

Verify the ports above and all other ports identified in the following KB:

VMware View ports and network connectivity requirements (1027217)
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027217