FAS - Request not supported while launching a published Desktop with FAS

• Launching of a published desktop fails when StoreFront server is configured to use FAS.
• You will get an error "请求不支持".
• The below error may be seen in Kerberos event logs on the VDA when attempting to launch.

0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type

* Kerberos events are logged under System Event logs when Kerberos logging is enabled through Registry. These are the Registry settings for VDA.

Location: 电脑\ HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Type:DWORD
Name:LogLevel
Value:0x1

Location: 电脑\ HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Type:DWORD
Name:KerbDebuglevel
Value:0xffffffff

Location:电脑\ HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Kdc
Type:DWORD
Name:KdcDebugLevel
Value:0x1

Location:电脑\ HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Kdc
Type:DWORD
Name:KdcExtraLogLevel
Value:0x1f

Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).

You need to have aDomain ControllerorDomain Controller Authenticationcertificate on all the domain controllers. To enroll for a new certificate follow the below steps.

1. On the domain controller, open mmc.
2. Click File, Click Add/Remove Snap-in.
3. Select Certificates, click Add, then select Computer account.
4. Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.
5. Press Next.
6. SelectDomain Controller or Domain Controller Authenticationand press Enroll.

Note: If you do not see the Domain Controller Authentication on the Auto Enrollment in the Domain Controler or Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.

Note: If you have multiple domain controllers, Admin needs to ensure the DC doing cert validation for user should have domain controller auth certificate in personal store.

• The domain controller has no certificate issued by the Enterprise PKI component in its computer certificate store.
• This can be confirmed by the event 19 or 29: "The key distribution center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service/fas-config-manage/fas-troubleshoot-logon.html#kerberos-logs

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.