Symptoms
First, see How to analyze the log files to identify single-sign on (SSO) issues .
Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:
Using specified cache: /etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache
Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem
[3734] 1646988007.867344: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[3734] 1646988007.867346: Sending unauthenticated request
[3734] 1646988007.867347: Sending request (245 bytes) to SOMEDOMAIN.ORG
[3734] 1646988007.867348: Resolving hostname somehost.somedomain.org
[3734] 1646988007.867349: Sending initial UDP request to dgram 10.1.2.3:88
[3734] 1646988007.867350: Received answer (232 bytes) from dgram 10.1.2.3:88
[3734] 1646988007.867351: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[3734] 1646988007.867352: No URI records found
[3734] 1646988007.867353: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[3734] 1646988007.867354: SRV answer: 0 100 88 "somehost.somedomain.org."
[3734] 1646988007.867355: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[3734] 1646988007.867356: Response was not from master KDC
[3734] 1646988007.867357: Received error from KDC: -1765328359/Additional pre-authentication required
[3734] 1646988007.867360: Preauthenticating using KDC method data
[3734] 1646988007.867361: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[3734] 1646988007.867362: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[3734] 1646988007.867363: PKINIT loading CA certs and CRLs from FILE
[3734] 1646988007.867364: PKINIT client computed kdc-req-body checksum 9/AD393606386E83639F001105318E20FF703365A8
[3734] 1646988007.867366: PKINIT client making DH request
[3734] 1646988007.867367: Preauth module pkinit (16) (real) returned: 0/Success
[3734] 1646988007.867368: Produced preauth for next request: PA-PK-AS-REQ (16)
[3734] 1646988007.867369: Sending request (7252 bytes) to SOMEDOMAIN.ORG
[3734] 1646988007.867370: Resolving hostname somehost.somedomain.org
[3734] 1646988007.867371: Initiating TCP connection to stream 10.1.2.3:88
[3734] 1646988007.867372: Sending TCP request to stream 10.1.2.3:88
[3734] 1646988017.917766: Sending initial UDP request to dgram 10.1.2.3:88
[3734] 1646988017.917767: Received answer (122 bytes) from dgram 10.1.2.3:88
[3734] 1646988017.917768: Terminating TCP connection to stream 10.1.2.3:88
[3734] 1646988017.917769: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[3734] 1646988017.917770: No URI records found
[3734] 1646988017.917771: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[3734] 1646988017.917772: SRV answer: 0 100 88 "somehost.somedomain.org."
[3734] 1646988017.917773: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[3734] 1646988017.917774: Response was not from master KDC
[3734] 1646988017.917775: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3734] 1646988017.917776: Request or response is too big for UDP; retrying with TCP
[3734] 1646988017.917777: Sending request (7252 bytes) to SOMEDOMAIN.ORG (tcp only)
[3734] 1646988017.917778: Resolving hostname somehost.somedomain.org
[3734] 1646988017.917779: Initiating TCP connection to stream 10.1.2.3:88
[3734] 1646988017.917780: Sending TCP request to stream 10.1.2.3:88
2022-03-11 08:40:27.879492 SOMEAWINGUHOST awingu-worker-smc.service[manage.py:29226]: Task cdsessions.tasks.refresh_sso_certificate failed
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/django_q/cluster.py", line 448, in worker
res = f(*task["args"], **task["kwargs"])
File "/usr/lib/python3/dist-packages/awingucore/cdsessions/tasks.py", line 234, in refresh_sso_certificate
return _refresh_sso_certificate(domain, upn, rah_token, new_password)
File "/usr/lib/python3/dist-packages/awingucore/cdsessions/tasks.py", line 392, in _refresh_sso_certificate
timeout=LDAP_TIMEOUT)
File "/usr/lib/python3.6/subprocess.py", line 863, in communicate
stdout, stderr = self._communicate(input, endtime, timeout)
File "/usr/lib/python3.6/subprocess.py", line 1535, in _communicate
self._check_timeout(endtime, orig_timeout)
File "/usr/lib/python3.6/subprocess.py", line 891, in _check_timeout
raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['/opt/krb5-1.17/bin/kinit', '-V', '-X', 'X509_user_identity=FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem', '-c', '/etc/awingu/domains/AWINGUDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache', '-E', 'someuser@somedomain.org@SOMEDOMAIN.ORG']' timed out after 20 seconds
2022-03-11 08:40:27.896735 SOMEAWINGUHOST awingu-worker-smc.service[manage.py:1763]: Failed [carolina-music-lake-asparagus] - Command '['/opt/krb5-1.17/bin/kinit', '-V', '-X', 'X509_user_identity=FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem', '-c', '/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache', '-E', 'someuser@somedomain.org@SOMEDOMAIN.ORG']' timed out after 20 seconds
Cause
There is an issue with the UDP communication.
Resolution
Some of the reported solutions:
- Use Microsoft Windows Server versions supported by Parallels Secure Workspace.
- Make sure the user is not a member of an excessive amount of Active Directory groups.
- Check whether Parallels Secure Workspace can use both UDP and TCP: How to ​perform a port scan (tcpscan/udpscan) (port 88, both UDP and TCP).
- Install the latest updates for the Microsoft Windows Server and for the hypervisor on which the virtual machines (if applicable) are running.
Was this article helpful?
Tell us how we can improve it.