Jump to content
Welcome to our new Citrix community!
  • 0


Vadim Gonzalez1709156204


Hi Guys,

We have Azure MFA and FAS configured for our External Store and we are now facing following issue.

When you perform logon to a Wind 10  persistent desktop from external network  using MFA (and your Windows 10 VM is freshly booted) you cannot run Citrix applications published via Start menu on this VM.

When one of the applications is Shared Desktop - you can see it is waiting for user credentials on the lock screen. 


I understand that ssonsvr.exe does not have user credentials  to pass to the apps since FAS smart card emulation was used to logon.

If you initially logged on your persistent desktop from internal network (no FAS, no MFA) then when you reconnect back to your session from home (via external store) you are still able to run Citrix applications from the srart menu.

Configuring external   (FAS enabled) store in Citrix components /Citrix receiver/ Storefront for the affected desktops - fixes this issue. However that makes the whole setup more complicated.

Our idea was to  MFA/FAS only for external store and now by the look of it we have to enable it for internal store.

Any suggestions, workarounds ?

7.15 LTSR CU3,

Storefront 3.12




Link to comment

2 answers to this question

Recommended Posts

  • 0

Got answer from Citrix.

Currently testing.



The behavior you are experiencing with 2nd hope is by design.
We were able to replicate same in our in-house environment.
In the VDA launched with FAS you have a Kerberos TGT so you can perform Kerberos to citrix/PNOGRStoreweb to establish the users groups, that can then be used for enumeration.
However, an interactive Windows session can only be authenticated using a password or smartcard, and the VDA (1st hop) has neither. Hence for the second hop launch you also need FAS.
Enable FAS for store https://xxxxx/citrix/xxxStore



Link to comment
  • 0

Greetings, I am in the same boat as the original post here and am just looking for feedback from others on what they are doing!?!


We stood up a new External Storefront Store and enabled FAS so that external users could authenticate via our new SAML IDP + Netscaler Gateway - > Storefront and then launch their Virtual Desktops and Apps. This is working as expected

BUT if a user tries to launch a Virtual App from within their Virtual Desktop that is configured to point to our internal Storefront Store (Non FAS enabled Site) it fails... 


I've found that if I enable FAS on our internal Store, it works. But I don't really want to enable FAS internally, this would cause 95% of the connections that don't need FAS to be reliant on it now. 

I have since created a new Internal Store that is FAS enabled and am pointing affected users (VDI's and RemotePC users) to this new store, but now I have 2 different Internal Stores I have to maintain for this and it's a major pain to try and automate pointing Certain clients to a new Store.  I can handle re-configuring our VDIs, but we also have Remote PC in the wild. 


How is everyone else handling this? Bite the bullet and move everything (internal / external) to FAS enabled? 


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...