Parallels RAS 20 Administrator's Guide
ProductsSupportPartnersDocumentation
English
English
  • Parallels RAS 20 Administrator’s Guide
    • Introduction
      • Parallels RAS release history
      • About Parallels RAS
      • About this guide
      • What's new
      • Terms and abbreviations used in this guide
    • Installing Parallels RAS
      • System requirements
        • Hardware requirements
        • Software requirements
        • Microsoft license requirements
      • Install Parallels RAS
      • Log in and activate Parallels RAS
    • Getting Started with Parallels RAS
      • The Parallels RAS Console
      • Set up a basic Parallels RAS Farm
        • Add an RD Session Host
        • Publish applications
        • Invite users
        • Azure Virtual Desktop
        • Conclusion
    • Farm and Sites
      • Connecting to a Parallels RAS Farm
      • About Sites
      • Sites in the RAS Console
      • Adding a Site to the Farm
      • Replicating Site settings
      • Managing Licensing Site
      • Managing administrator accounts
        • Adding an administrator account
        • Administrator account permissions
        • Managing administrator accounts
        • Configure RAS Console idle sessions
        • Using instant messaging
        • Joining Customer Experience Program
    • RAS Connection Broker
      • Configuring RAS Connection Brokers
      • Secondary Connection Brokers
      • Managing Secondary Connection Brokers
      • Using computer management tools
    • RAS Secure Gateway
      • Overview
      • Adding a RAS Secure Gateway
      • Manually adding a RAS Secure Gateway
      • Checking the RAS Secure Gateway status
      • Configuring a RAS Secure Gateway
        • Enable or disable a Secure Gateway
        • Set public address
        • Set IP addresses for client connections
        • Site defaults (Secure Gateways)
        • Gateway mode and forwarding settings
        • Gateway network options
        • SSL/TLS encryption
          • SSL server configuration
        • Configure User Portal
          • Using Site defaults
          • Enable or disable User Portal
          • Client settings
          • Network load balancers access
        • Wyse ThinOS support
        • Secure Gateway security
        • Web request load balancing
      • Secure Gateway tunneling policies
      • Configure logging
      • Viewing Secure Gateway summary and metrics
      • Using computer management tools
    • RD Session Hosts
      • RD Session Host types
      • Add an RD Session Host
        • Installing the agent manually
      • Add a template-based RD Session Host
      • Manage RD Session Hosts
        • Manage host pools (RD Session Hosts)
          • Add host pools (RD Session Hosts)
          • Upgrading Agents (RD Session Hosts)
        • Manage templates (RD Session Hosts)
          • Creating an RD Session Host template
          • Assigning a template to a host pool (RD Session Host)
          • Managing RD Session Hosts based on a template
        • Manage hosts (RD Session Hosts)
          • Viewing RD Session Hosts
          • Check an RD Session Host Agent status
          • Change RD Session Host Site assignment
          • View and modify RD Session Host properties
            • Using default settings
            • General
            • Agent settings
            • User profile
            • Application Packages
            • Optimization
            • Desktop access
            • RDP printer
          • User profile
            • User Profile Disks
            • FSLogix
              • Configure managing existing profiles by Parallels RAS
              • FSLogix antivirus exclusions
          • Optimization
          • Drive redirection cache
          • Configure logging
        • Manage sessions (RD Session Host)
        • Using scheduler (RD Session Hosts)
      • Planning for high availability
      • Managing logons
      • Using computer management tools
      • Publishing from an RD Session Host
      • Viewing published resources
    • Virtual Desktop Infrastructure (VDI)
      • Supported providers
      • Add a provider
        • RAS Provider Agent information
          • RAS Provider Agent installation options
        • Add a hypervisor provider
        • Add a cloud Provider
          • Microsoft Azure
            • Introduction and prerequisites
            • Create Microsoft Entra ID application
            • Add Microsoft Azure as a Provider
            • Microsoft Azure and templates
          • Amazon Web Services
            • Introduction and prerequisites
            • Design considerations
            • Step 1. Creating an IAM user for programmatic access
            • Step 2. Adding AWS as a Provider
      • Manage VDI
        • Manage providers (VDI)
          • Installing RAS Provider Agent using the installer
          • Checking the RAS Provider Agent status
          • Using a Provider in multiple farms
        • Manage host pools (VDI)
          • Add host pools (VDI)
          • Delete host pools (VDI)
          • Add and delete host pool members
          • Using a wildcard to filter VMs
          • Managing hosts in pools
          • Upgrading Agents (VDI)
        • Manage templates (VDI)
          • Virtual desktop templates
          • Multi-provider template distribution
          • Creating a VM template
            • Step 1: Check and install the Agent
            • Step 2: Configure the template
              • Properties
              • Distribution
              • Advanced
              • Preparation
              • Optimization
              • License keys
              • Summary
              • Host naming
            • Parallels Test Template Wizard
            • Modifying template properties
          • How hosts are created from a template
          • Manually adding a host
          • Assigning a template to a host pool (VDI)
          • Template maintenance
          • Template status
          • Managing multi-provider template distribution
          • Managing template-based hosts
        • Manage hosts (VDI)
          • Persistent hosts
          • Configuring hosts to interact with RAS Provider Agent in a different subnet
        • Manage sessions (VDI)
        • Using scheduler (VDI)
      • Configure logging
      • Enabling high availability for VDI
      • Site defaults (VDI)
      • Using computer management tools
      • Viewing Provider summary
      • Remote PC pools in VDI
        • Adding a Provider
        • Adding Remote PCs to a Provider
        • Adding Remote PCs to a pool
        • Managing Remote PCs in a pool
        • Persistent Remote PCs
        • RAS Guest Agent installation options
    • Azure Virtual Desktop
      • Introduction
      • Prerequisites
      • Deploy Azure Virtual Desktop
        • Enable Azure Virtual Desktop and add a provider
        • Add workspaces
        • Add host pools (Azure Virtual Desktop)
      • Manage Azure Virtual Desktop
        • Manage providers (Azure Virtual Desktop)
        • Manage workspaces (Azure Virtual Desktop)
        • Manage host pools (Azure Virtual Desktop)
          • Upgrading Agents (Azure Virtual Desktop)
        • Manage templates (Azure Virtual Desktop)
          • Create a template
          • Manage existing templates
          • Assigning a template to a host pool (Azure Virtual Desktop)
        • Manage hosts (Azure Virtual Desktop)
        • Manage sessions (Azure Virtual Desktop)
        • Using scheduler (Azure Virtual Desktop)
      • Site defaults (Azure Virtual Desktop)
        • Site defaults for single-session hosts
        • Site defaults for multi-session hosts
      • Using Parallels Client with Azure Virtual Desktop
      • Verify the deployment
    • Remote PCs
      • Overview
      • Manage host pools (Remote PC)
      • Manage hosts (Remote PC)
        • Adding a Remote PC to a Farm
          • Admin-initiated Remote PC enrollment
          • Self-service Remote PC enrollment
        • Configuring a Remote PC
      • Viewing Remote PC summary
      • Using computer management tools
    • Publishing
      • Overview
      • Publishing a desktop
      • Publishing an application
      • Publishing local applications
      • Publishing an application with MSIX app attach
      • Publishing a web application
      • Publishing a network folder
      • Publishing a document
      • General management tasks
      • Manage published applications
      • Manage published desktops
      • Manage published documents
      • Manage folders
      • Site defaults (Publishing)
      • Using filtering rules
      • Configuring preferred routing
      • Understanding session prelaunch
      • Checking effective access
      • Specifying client settings
      • Quick keypad
    • Session Management
      • Overview
      • Session information
      • Monitoring settings
      • Managing sessions
      • The Resources tab
    • SSL Certificate Management
      • Generating a self-signed certificate
      • Generating a certificate signing request (CSR)
      • Let's Encrypt certificates
        • Requesting a Let's Encrypt Certificate
        • How Parallels RAS requests certificates from Let's Encrypt
      • Importing a certificate
      • Exporting a certificate
      • Assigning a certificate to Secure Gateways and HALBs
      • Auditing certificates
      • Permissions to manage certificates
      • Upgrading from an older RAS version
    • Connection and Authentication Settings
      • RAS Connection Broker connection settings
      • Remote session settings
      • Logon hours settings
      • Restricting access by Parallels Client type and build number
      • Multi-factor authentication
        • Adding an MFA provider
        • Using RADIUS
          • Connection
          • Attributes
          • Automation
          • Advanced
          • Configuring Azure MFA
          • Configuring Duo
        • Using TOTP
          • Configuring TOTP
          • Configuring Google Authenticator
          • Configuring Microsoft Authenticator
        • Configuring email OTP
        • Using Deepnet DualShield
          • Supported tokens
          • Configuring DualShield 5.6+ Authentication Platform
          • Configuring Parallels RAS to use the DualShield Authentication Platform
          • Connect to a RAS Farm
        • Using SafeNet
          • Configuring SafeNet
        • Configuring MFA rules
      • Allowing users to change domain password
      • Allowing users to discover RAS connections via email address
    • Load Balancing and HALB
      • Resource based & round robin load balancing
        • Configure CPU optimization
      • High availability load balancing (HALB)
        • Prerequisites
        • Deploying a Parallels HALB appliance
        • Adding a HALB virtual server
        • HALB Device status and version number
        • HALB maintenance
        • HALB connection and session information
        • Changing the HALB appliance password
    • RAS Multi-Tenant Architecture
      • Overview
      • Architecture description
        • Implementation overview
        • User connection flow
      • Deploying Tenant Broker and Tenants
        • Deploying Tenant Broker
        • Deploying a Tenant
          • Join a Tenant to Tenant Broker
          • Joining with a secret key
          • Verify join status
          • Configure network
          • Assign a public domain address
          • Configure an SSL certificate
          • Set up routing for incoming traffic
        • User authentication
        • Unjoining from Tenant Broker
      • Managing Tenants
        • Tenant configuration
        • Deleting a Tenant object
        • Opening a Tenant console
      • Shared Gateways
      • Third-party network load balancers
      • Web Client and Themes
      • Monitoring Tenants
      • Tenant Broker compatibility and updates
      • Upgrading from an older RAS version
      • Configuring notifications
      • Communication ports
    • SAML SSO Authentication
      • Introduction
      • System requirements
      • SAML basics
      • SAML configuration
        • Prerequisites
        • IdP side configuration
        • SP side configuration (RAS side)
        • Active Directory user account configuration
        • Configure certificate authority templates
          • Create an Enrollment Agent template
          • Create a smartcard logon certificate template
        • RAS Enrollment Server configuration
        • RAS Enrollment Server high availability
        • SAML integration examples and tips
          • User account attributes
          • Security tip
      • Parallels Client configuration
      • Parallels client policy configuration
      • Test the SAML SSO deployment
      • Error messages
    • Parallels Web Client and User Portal
      • Configure Web Client
      • Configure Themes
        • General settings
        • Access settings
        • Message settings
        • Web Client settings
          • URLs
          • Branding
          • Colors
          • Language bar
          • Messages
          • Input prompt
          • Gateway
          • Legal policies
        • Parallels Client for Windows settings
        • General Theme tasks
        • Delegating session management permissions
      • Open Parallels Web Client
      • Main menu options
      • Running remote applications and desktops
        • Using drag and drop functionality
        • Native clipboard experience
        • Other useful features
      • Auto login
      • Direct App access
      • Using the toolbar
        • Using the toolbar on desktop computers
        • Using the Toolbar on Mobile Devices
        • Using the remote clipboard
        • Hiding toolbar items
    • Universal Printing
      • Managing Universal Printing Settings
      • Universal Printing drivers
      • Font management
    • Universal Scanning
      • Managing Universal Scanning
      • Adding scanning applications
    • User Device Management and Client Policies
      • Inviting users to connect to Parallels RAS
      • Mass configuring user devices
      • Enabling Help Desk support for users
      • Enabling Help Desk support for custom administrators
      • Monitoring devices
        • Getting additional device information
      • Windows device groups
      • Managing Widows devices
        • Windows desktop replacement
      • Scheduling Windows devices & groups power cycles
      • Client policies
        • Add a new client policy
        • Configure session settings
          • Appearance
          • Connection
          • Display
          • Printing
          • Scanning
          • Audio
          • Keyboard
          • Local devices and resources
          • Experience
          • Network
          • Server authentication
          • Advanced settings
        • Configure client policy options
        • Configure control settings
        • Configure Gateway redirection
        • Client policy backward compatibility
        • Policy information in Parallels Client
      • Configuring remote file transfer
        • Configure file transfer to a server
        • Configure file transfer in User Portal
        • Configure file transfer for a client policy
    • Reporting
      • System requirements
      • Install Microsoft SQL Server
        • Install Microsoft SQL Server 2016 or earlier
        • Install Microsoft SQL Server 2017 or 2019
        • Install Microsoft SQL Server 2022
      • Install Parallels RAS Reporting
      • Running Parallels RAS Reports
      • GDPR compliance
    • Performance monitor
      • Overview
      • Install RAS Performance Monitor
      • Using Parallels RAS Performance Monitor
      • Configure RAS Performance Monitor security
      • Updating RAS Performance Monitor
    • Common Management Tasks
      • Recovery – add a root administrator
      • Host name resolution
      • Computer management tools
      • Site information
      • Site settings
      • Using MSIX application packages
      • Using template versions
      • Settings audit
      • Upgrading RAS agents
      • Licensing
      • Configure HTTP proxy settings
      • System event notifications
        • Configuring notification handlers
        • Configuring notification scripts
        • Configuring SMTP server connection for event notifications
      • RAS session variables
      • Resolving z-order issues
      • Maintenance and backup
        • Importing and exporting Farm settings from the command line
      • Problem reporting and troubleshooting
      • Logging
      • Suggest a feature
    • Parallels RAS Management Portal
      • Overview
      • Prerequisites
      • Installation
      • Log in to RAS Management Portal
      • Configure RAS Web Administration Service
      • RAS Management Portal user interface
    • Parallels RAS APIs
      • RAS PowerShell API
      • RAS REST API
        • Installation
        • Permissions
        • Getting started
        • Logging in and sending requests
        • More information
      • RAS Web Client API and Parallels Client URL scheme
    • Appendix
      • Microsoft license requirements in Parallels RAS
      • Port reference
        • Parallels Client
        • Web browsers
        • HALB
        • RAS Secure Gateway
        • RAS Connection Broker
        • RAS Console
        • SSRS
        • RAS Reporting
        • RAS Web Administration Service (REST/Management Portal)
        • RAS PowerShell
        • RAS Provider Agent
        • RAS Enrollment Server
        • RAS RD Session Host Agent
        • RAS Guest Agent
        • RAS Remote PC Agent
        • Tenant Broker
        • Active Directory and Domain Services ports
        • Azure Virtual Desktop
      • RAS performance counters
Powered by GitBook

© 2025 Parallels International GmbH. All rights reserved.

On this page
  • Error messages
  • Pre HTML5 loading
  • Post HTML5 loading
  • Once an application or desktop is launched

Was this helpful?

Export as PDF
  1. Parallels RAS 20 Administrator’s Guide
  2. SAML SSO Authentication

Error messages

Error messages

Error messages appear in the web browser when something goes wrong with SAML SSO authentication.

Pre HTML5 loading

Error message
Notes

Unable to parse SAML Assertion

There was an error while parsing and validating the SAML Assertion. Further details can be found in HTML5 Logs.

Most common causes:

SAML Response is not valid for this audience: The most probable cause for this issue is having wrong configuration on the IDP, especially the Entity ID URL. The entity ID URL in the assertion will not match with the Entity ID provided in the SP SAML settings.

Expected 1 Assertion or 1 EncryptedAssertion; found 0: The Assertion / EncryptedAssertion tag was not found in the response. The Web Client will be expecting an encrypted assertion while the IDP is sending a non encrypted one. This can either be fixed by changing the IDP settings to send an encrypted assertion or tick the checkbox found in 'RAS Console > Connection > SAML > IDP Settings > Allow unencrypted assertion'

SAML Response is not yet valid: This might happen if the time of the server where RAS Gateway is installed is incorrect, for instance 4 seconds behind. In this case the assert will be created before actually trying to parse it.

SAML Response is no longer valid: This might happen if the time of the server where RAS Gateway is installed is incorrect. In case it's manually set in the future, assert might be seen as not valid anymore while trying to validate it.

SAML Assertion body is empty

SAML Assertion was not found in the response. Further details can be found in HTML5 Logs

Unable to create SAML logout request

There was an error while creating SAML logout request. Further details can be found in HTML5 Logs.

Unable to create SAML logout response

There was an error while creating logout response. Further details can be found in HTML5 Logs.

Post HTML5 loading

Error code
Error message
Notes

0x00000029

SAML IdP settings not found. IdP Id:'xxx'

Check the Identity Provider settings. Check if the IdP metadata are correctly imported.

0x0000002A

SAML IdP info keys loading failed. IdP Id:'xxx'

Check if the IdP certificate is present in the IdP settings.

0x0000002B

SAML Theme mismatch

Check if the theme is correctly set in the IdP settings.

0x0000002C

Logon using SAML failed. Error: 0x00001

See errors below

0x00000029

No Enrollment Sever available

Check Enrollment server(s) status

0x0000002A

Missing NLA User Configuration

Enter NLA User details

0x00000003

Logon using SAML failed. Error: Failed to match AD User. 0x00000006

Check if the Attributes settings are correct in the IdP properties.

0x00000003

Logon using SAML failed. Error: Failed to validate and decrypt the response. 0x00000009

Check if the IdP certificate is present in the IdP settings.

0x00000003

Logon using SAML failed. Error: Assertion not encrypted. 0x0000001C

Check if the IdP settings for the logon request are correct.

0x00000003

Logon using SAML failed. Error: Failed to decrypt the assertion. 0x0000001D

Check the SP certificate is correctly set in the IdP settings.

0x00000003

Logon using SAML failed. Error: Failed to verify assertion. 0x0000001F

Check if the IdP certificate is present in the IdP settings.

Once an application or desktop is launched

Error message
Description and reference

Invalid username or password

The user certificate is valid, but the domain controller did not accept it. Check the Kerberos logs on the domain controller.

The system could not log you on. Your credentials could not be verified.

Check connectivity with the domain controller and check that the appropriate certificates installed.

The request is not supported

The "Domain Controller" and "Domain Controller Authentication" certificates on Domain Controller require enrolling, even if they are already available.

The system could not log you on. The smartcard certificate used for authentication was not trusted.

The intermediate and root certificates are not installed on the machine where the error is shown. The CA root certificate and any intermediate certificates must be added to the "Trusted root certificates"in the local computer account.

You cannot logon because smart card logon is not supported for your account.

The user account has not been fully configured for smart card logon.

No valid smart card certificate could be found.

Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.

Bad Request

Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.

PreviousTest the SAML SSO deploymentNextParallels Web Client and User Portal

Was this helpful?