Kerberos Authentication Errors in Connection Manager (AWS Workspaces)

Question

Installed the PCoIP Connection Manager for Amazon WorkSpaces instance per documentation and when running diagnostics or connection with Zero Clients we are getting authentication errors. We are able to connect to Workspaces directly so no issues there. It also appears that initial handshake is established but then fails auth. The instance is in the same VPC and Subnet as the Workspaces. Error log below:

2015-12-31T13:51:40.057Z TRACE PCMUtils                            : Client-Log-Id generated: 686b389e-a59e-4ccf-84fd-3536327ae21a
2015-12-31T13:51:40.073Z INFO  Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: ========> Detected a new session from client at 127.0.0.1
2015-12-31T13:51:40.075Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Received request from client (hello): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><hello><client-info><product-name>Teradici Session Test Emulator</product-name><product-version>0.0.0</product-version><platform>Ubuntu 12.04</platform><locale>en_US</locale><hostname>my-ste-hostname</hostname><serial-number>my-ste-serial-number</serial-number><device-name>my-ste-device-name</device-name><organization-id>my-organization</organization-id></client-info><caps></caps></hello></pcoip-client>
2015-12-31T13:51:40.075Z TRACE AuthenticationAppliancePreProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Pre-processing message of type: Value: hello
2015-12-31T13:51:40.076Z TRACE Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Setting PBP version negotiated with client to 2.1
2015-12-31T13:51:40.076Z TRACE Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Setting PBP version negotiated with broker to 2.1
2015-12-31T13:51:40.087Z TRACE Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Setting locale to en_US
2015-12-31T13:51:40.087Z TRACE PCMUtils                            id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: X-Forwarded-For sent to the broker: 127.0.0.1
2015-12-31T13:51:40.175Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=none c=0021: Sending request to AWS broker (hello): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><hello><client-info><product-name>Teradici Session Test Emulator</product-name><product-version>0.0.0</product-version><platform>Ubuntu 12.04</platform><locale>en_US</locale><hostname>my-ste-hostname</hostname><serial-number>my-ste-serial-number</serial-number><device-name>my-ste-device-name</device-name><organization-id>XXXXXXXXX</organization-id></client-info><pcm-info><product-name>PCoIP Connection Manager for Amazon WorkSpaces</product-name><product-version>1.0.3.127.46151</product-version><platform>GNU/Linux x86_64</platform><ip-address>XXX.XXX.XXX.XXX</ip-address><hostname>XXXXXXXXX.ec2.internal</hostname></pcm-info><caps><cap>CAP_KERBEROS_AUTHENTICATION</cap><cap>CAP_ALTERNATE_PROVISIONING</cap></caps></hello></pcoip-client>
2015-12-31T13:51:40.246Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Received response from AWS broker (hello-resp): <?xml version="1.0" encoding="UTF-8" standalone="yes"?><pcoip-client revision="0" version="2.1"><hello-resp><brokers-info><broker-info><product-name>AWS WorkSpaces Connection Manager</product-name><product-version></product-version><platform></platform><locale></locale><ip-address></ip-address><hostname></hostname></broker-info></brokers-info><next-authentication><authentication-methods><method>AUTHENTICATE_VIA_KERBEROS</method></authentication-methods><domains/><kerberos-parameters><request-password/></kerberos-parameters></next-authentication></hello-resp></pcoip-client>
2015-12-31T13:51:40.246Z INFO  PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Received Set-Cookie: JSESSIONID=db9e****3a0b;HttpOnly;Secure
2015-12-31T13:51:40.246Z TRACE uthenticationAppliancePostProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Post-processing message: Value: hello
2015-12-31T13:51:40.246Z TRACE Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Setting PBP version negotiated with broker to 2.1
2015-12-31T13:51:40.247Z TRACE Context                             id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Setting PBP version negotiated with client to 2.1
2015-12-31T13:51:40.249Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Sending response to client (hello-resp): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><hello-resp><brokers-info><broker-info><product-name>AWS WorkSpaces Connection Manager</product-name><product-version /><platform /><locale>en_US</locale><ip-address /><hostname /></broker-info></brokers-info><pcm-info><product-name>PCoIP Connection Manager for Amazon WorkSpaces</product-name><product-version>1.0.3.127.46151</product-version><platform>GNU/Linux x86_64</platform><ip-address>XXX.XXX.XXX.XXX</ip-address><hostname>XXXXXXXXX.ec2.internal</hostname></pcm-info><next-authentication><authentication-methods><method>AUTHENTICATE_VIA_PASSWORD</method></authentication-methods><domains><domain>XXXXXXXXX.com</domain></domains></next-authentication></hello-resp></pcoip-client>
2015-12-31T13:51:40.255Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0021: Processing request (hello) / response (hello-resp) took: 182ms
2015-12-31T13:51:40.310Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Received request from client (authenticate): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><authenticate method="password"><username>XXXXXXXXX</username><password>****</password><domain>XXXXXXXXX</domain></authenticate></pcoip-client>
2015-12-31T13:51:40.311Z TRACE AuthenticationAppliancePreProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Pre-processing message of type: Value: authenticate (with password)
2015-12-31T13:51:40.311Z DEBUG AuthenticationAppliancePreProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Using Java KRB5.
2015-12-31T13:51:40.371Z TRACE PCoIPProcessorHelper                id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Retrieved request-password: true
2015-12-31T13:51:40.382Z TRACE PCMUtils                            id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: X-Forwarded-For sent to the broker: 127.0.0.1
2015-12-31T13:51:40.389Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Sending request to AWS broker (authenticate): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><authenticate method="kerberos"><kerberos-ticket>****</kerberos-ticket><user-principal-name>XXXXXXXXX@XXXXXXXXX.COM</user-principal-name><password>****</password></authenticate></pcoip-client>
2015-12-31T13:51:40.636Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Received response from AWS broker (authenticate-resp): <?xml version="1.0" encoding="UTF-8" standalone="yes"?><pcoip-client revision="0" version="2.1"><authenticate-resp method="kerberos"><result><result-id>AUTH_FAILED_KERBEROS_TICKET_INVALID</result-id><result-str>Authentication failed. Invalid kerberos ticket.</result-str></result></authenticate-resp></pcoip-client>
2015-12-31T13:51:40.636Z TRACE uthenticationAppliancePostProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Post-processing message: Value: authenticate (with password)
2015-12-31T13:51:40.637Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Sending response to client (authenticate-resp): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><authenticate-resp method="password"><result><result-id>AUTH_FAILED_UNKNOWN_USERNAME_OR_PASSWORD</result-id><result-str>User authentication failed. Please re-enter username, password, and/or domain.</result-str></result></authenticate-resp></pcoip-client>
2015-12-31T13:51:40.638Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0022: Processing request (authenticate) / response (authenticate-resp) took: 329ms
2015-12-31T13:51:40.682Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Received request from client (bye): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><bye><reason>Session Test finsihed.</reason></bye></pcoip-client>
2015-12-31T13:51:40.682Z TRACE AuthenticationAppliancePreProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Pre-processing message of type: Value: bye
2015-12-31T13:51:40.687Z TRACE PCMUtils                            id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: X-Forwarded-For sent to the broker: 127.0.0.1
2015-12-31T13:51:40.704Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Sending request to AWS broker (bye): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><bye><reason>Session Test finsihed.</reason></bye></pcoip-client>
2015-12-31T13:51:40.740Z TRACE PCoIPBrokerHttpsConnectionImpl      id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Received response from AWS broker (error-resp): <?xml version="1.0" encoding="UTF-8" standalone="yes"?><pcoip-client revision="0" version="2.1"><error-resp><result><result-id>ERR_INVALID_SESSION</result-id><result-str>The sessionId provided is invalid</result-str></result><detected-by>PCM</detected-by></error-resp></pcoip-client>
2015-12-31T13:51:40.740Z TRACE uthenticationAppliancePostProcessor id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Post-processing message: Value: bye
2015-12-31T13:51:40.741Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Sending response to client (error-resp): <?xml version="1.0" encoding="UTF-8"?><pcoip-client version="2.1"><error-resp><result><result-id>ERR_INVALID_SESSION</result-id><result-str>Error 6606: Command failed. Please report this failure to your system administrator.</result-str></result><detected-by>BROKER</detected-by></error-resp></pcoip-client>
2015-12-31T13:51:40.742Z TRACE PCoIPConnectionManagerPBPServlet    id=686b389e-a59e-4ccf-84fd-3536327ae21a s=0007 c=0023: Processing request (bye) / response (error-resp) took: 77ms

Answer 1

Best Answer

Answer by Monty617 · Jan 04, 2016 at 12:54 PM

So to answer my own question it looks like the Teradici PCoIP Connection Manager instance may not fully support Microsoft AD in AWS. Rebuilt the domain in Amazon Simple AD and it works like a charm. If anyone has any experience with MS AD and can provide some insight it would be greatly appreciated.

0 · Share

Answer 2

Answer by krama westzaan · Mar 21, 2016 at 12:46 PM

Hi Monty617,

My error messages are almost the same.

Do you have some logging that backs 'it looks like the Teradici PCoIP Connection Manager instance may not fully support Microsoft AD in AWS.'?

Thx

Krama

0 · Share

Answer 3

Answer by Monty617 · Mar 21, 2016 at 01:42 PM

Luckily this was a new build so we were able to switch to Amazon Simple AD. Would have liked to have the option of MS AD for other reasons but at this point we have moved on. If anyone has any progress in this area we would certainly be interested.

0 · Share

Answer 4

Answer by krama westzaan · Mar 21, 2016 at 01:59 PM

Thx for sharing. We arent that lucky, we have and need MS AD so we cant switch.

0 · Share

Kerberos Authentication Errors in Connection Manager (AWS Workspaces)

4 Replies

Your answer

Welcome to the PCoIP Community Forum!

Recently purchased PCoIP Zero Clients or PCoIP Remote Workstation Cards?

Related Questions