Jump to content
Welcome to our new Citrix community!
  • Seamless SSO Login to Citrix Session Using FAS on VDA


    cugcblogs

    UddaveJajoo22Rnd.png by Uddave Jajoo, Indianapolis CUGC Leader

    Contents:

    • Introduction to FAS
    • Configure FAS
    • Configure FAS locally on VDA

    Introduction to FAS

    FAS is one of the new components developed by Citrix, to allow users to authenticate seamlessly in their Citrix environment by interacting with Active Directory Certificate Authority (CA). I would like to keep it short in this blog just talking about how to implement FAS on your Citrix VDAs.

     

    Detailed explanation on the architecture and how it works could be referred here – Citrix FAS Architecture

    Configure FAS

    Follow the Citrix docs for successful installation and configuration of FAS in your environment, its pretty straightforward guide on how to configure FAS and configure to the resource location in Citrix Cloud console.

    Install and Configure FAS

    Install FAS Servers, point to PKI servers for publishing the User certificates on logon and add to resource location.

    Configure FAS Locally on VDA

    Post installation of FAS servers, admins need to make some changes locally on the VDA to successfully allow authentication of users using smart card logon. Implement the group policy on VDA which would point to the location of FAS servers added to the respective resource location. There are different ways to implement this setting on the VDA.

    Using Group Policy – Follow Configure Group Policy

     

    Local Registry Edit – Open registry on VDA and run the below script to implement the FAS server entries.

    $Address1 and $Address2 would be the value of the FAS Servers with FQDN

    Example - $Address1-FASserver1.udjajoo.com $Address2=FASServer2.udjajoo.com

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    New-Item -Path "HKLM:\Software\Policies\Citrix" -Name "Authentication" -Force

    New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication" -Name "UserCredentialService" -Force

    New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService" -Name "Addresses" -Force

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address1 -Value $Address1

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address2 -Value $Address2

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    image-45.png.379ba9b0b05e79375d3242d074a00141.png

    With this registry key configuration on the VDA, admins would be easily able to point to the required FAS Servers to specific resource location. In case of multiple resource locations (Different regional Domains) and different FAS Servers tied to each resource location use the below script function to run locally on VDA, this script block could be integrated to your Post image build scripts and executed remotely to persistent VDAs.

    image-46.png.7aeec095618a9e8a8112b4cc56e6c6e2.png

    $DomainName = (Get-WmiObject Win32_ComputerSystem).domain.Split(".")[0]

    Function Config-FASServer(){

    Try

    {

    Write-host "Setting WEM server for the machine based on its domain" -foregroundcolor magenta

    switch($DomainName){

    "Z3" {$Address1 = "Z3FASServer1.z3.udjajoo.com"

    $Address2 = "Z3FASServer1.z3.udjajoo.com"

    $Address3 = "Z2FASServer1.z2.udjajoo.com"

    $Address4 = "Z2FASServer2.z2.udjajoo.com"

    $Address5 = "Z1FASServer1.z1.udjajoo.com"

    $Address6 = "Z1FASServer2.z1.udjajoo.com"}

    "Z2" {$Address1 = "Z2FASServer1.z2.udjajoo.com"

    $Address2 = "Z2FASServer2.z2.udjajoo.com"

    $Address3 = "Z1FASserver1.z1.udjajoo.com"

    $Address4 = "Z1FASserver2.z1.udjajoo.com"

    $Address5 = "Z3FASServer1.z3.udjajoo.com"

    $Address6 = "Z3FASServer2.z3.udjajoo.com"}

    Default {$Address1 = "Z1FASserver1.z1.udjajoo.com"

    $Address2 = "Z1FASserver2.z1.udjajoo.com"

    $Address3 = "Z2FASServer1.z2.udjajoo.com"

    $Address4 = "Z2FASServer2.z2.udjajoo.com"

    $Address5 = "Z3FASServer1.z3.udjajoo.com"

    $Address6 = "Z3FASServer2.z3.udjajoo.com"}

    }

    New-Item -Path "HKLM:\Software\Policies\Citrix" -Name "Authentication" -Force

    New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication" -Name "UserCredentialService" -Force

    New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService" -Name "Addresses" -Force

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address1 -Value $Address1

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address2 -Value $Address2

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address3 -Value $Address3

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address4 -Value $Address4

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address5 -Value $Address5

    Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address6 -Value $Address6

    }

    catch{

    "An error occurred: $_" | Out-File $CTXResealLog -append; Continue

    Write-Host "An error occurred: $_ `n`r" -foregroundcolor red

    }

    }

    Config-FASServer

     

    See more posts from Uddave Jajoo here.

     

    Are you a member of CUGC? Join for free today!


    User Feedback

    Recommended Comments



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...