Logon using SAML failed. Error: Failed to match AD User. (0X00000006)

1 users found this article helpful

Applies to:
- Parallels Remote Application Server
Last Review: Oct 24, 2023
Available Translations:
Get updates Download

Symptoms

User fails to login with SAML, error Logon using SAML failed. Error: Failed to match AD User. (0X00000006) is thrown.

[E 72/00000006/T0340/P04C8] 26-03-20 11:41:51 - SAML - User:'aaa@xxx.yyy.zzz' - Failed to find AD user for aaa@xxx.yyy.zzz [E 0E/0000002C/T0340/P04C8] 26-03-20 11:41:51 - SAML: Failed to Identify User from Assertion [T 00/00000000/T0340/P04C8] 26-03-20 11:41:51 - Error Msg: Logon using SAML failed. Error: Failed to match AD User. (0X00000006)

Cause

Incorrect SAML attribute in RAS settings:

Resolution

Check what exactly attributes are sent in IdP response:

Right in browser: https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html
Or from L5 controller.log (only for unencrypted assertions): find record starting with NEWAUTH_XML_PACKET RECEIVED 5. <?xml version="1.0" encoding="UTF-8"?><RootXML xmlns:dt="urn:schemas-microsoft-com:datatypes"><Prov><Type xml:space="preserve" dt:dt="string">SAML</Type><Method><Name xml:space="preserve" dt:dt="string">SAML</Name><Data><SAMLIdPUser xml:space="preserve" dt:dt="string">
Copy the text in SAMLAssertion tag to online Base64 decoder, decode it and look for Attribute tags, they look like this:
<Attribute Name="givenname"><AttributeValue>aaa</AttributeValue></Attribute> <Attribute Name="surname"><AttributeValue>bbb</AttributeValue></Attribute> <Attribute Name="name"><AttributeValue>aaa@xxx.yyy.zzz</AttributeValue></Attribute>

Figure out the right name of the attribute (name in this particular case) and adjust SAML Attribute name in RAS accordingly to it:

Was this article helpful?

Tell us how we can improve it.