Jump to content
Welcome to our new Citrix community!

Failed to launch resource x using the Citrix XML Service at address '??' (GW/FAS/AzureAD)

Kari Ruissalo

Recommended Posts

We have build a federated authentication to an environment using Azure AD as SAML2 IdP.

We're able to get all the way to the StoreFront view and see the published applications and desktops.


When user tries launching an application, we get the following event in the StoreFront logs (Event Id 28):


"Failed to launch the resource 'x' using the Citrix XML Service at address '??'. It was not possible to select a Federated Authentication Service.
Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider.Diagnostics.FasException, Citrix.DeliveryServices.FederatedAuthenticationService.VdaLogonDataProvider, Version=, Culture=neutral, PublicKeyToken=null
It was not possible to select a Federated Authentication Service."


I have already checked the following:
- FAS GPO is hitting StoreFronts, Controllers and VDAs (and the value is shown properly in registry)
- StoreFront is able to resolve FAS IP addresses
- The powershell commands for StoreFront have been ran (FASClaimsFactory, FASLogonDataProvider)
- The Citrix Site setting TrustRequestsSenttoTheXMLServicePort is set to true
- The FAS certificate templates have been installed to AD, published and both of the FAS servers have been authorized
- In the FAS rule I have set it with defaults (name: Default, for Access Control I have added the StoreFront computer accounts and removed the deny rule)
- I have verified that the user has UPN defined (in local AD), https://support.citrix.com/article/CTX220682 -> Solution 1

Link to comment
Share on other sites

5 hours ago, Ganesh Raju said:

Do we have multiple FAS server in your environments? if so, is same GPO applied to VDA and StoreFront? Is FAS FQDN correctly in the GPO/registry?


We have two FAS servers and they are configured in the GPO. The same GPO has been applied to VDA and StoreFront.


And they show properly in the registry.

Link to comment
Share on other sites

  • 1 year later...
On 3/24/2020 at 12:09 AM, Kari Ruissalo said:

Hi Ganesh,


We actually found the issue and got this working. A set of IPSec rules was applied to the FAS servers. The error message was a bit misleading as it easily leads to a conclusion that the XML servers cannot be reached.

What was applying the IPSec rule?  Something unrelated to Citrix?

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...