Jump to content
Welcome to our new Citrix community!
  • 0

Impact of enabling FAS on internal Store

Christoph Sinabell




We have FAS up and running and enabled it on a secondary store (on the same StoreFronts) used just for external access, which work so far. However we really want to avoid a secondary store because it breaks with the idea of having a single FQDN for WorkspaceApp as external users are required to add https://my.company.com?ExternalStore, because WorkspaceApp will always want to add the store created first (which is the internal one - and that fails of course) and it's not possible to control it centrally.


So the question: What ist the possible impact? As far as I understood StoreFront will then issue a virtual SmartCard and the user will also be logged on via virtual Smartcard to the VDA if Username/Password is used. I am wondering if this also applies to Passthrough Authentication with Local Username & Password, since the password is supplied to the VDA via ssonsrv.exe


P.S.: We are already synching subscriptions between the two stores.



Link to comment

3 answers to this question

Recommended Posts

  • 0

Ah ok, I think I found one.


According to https://discussions.citrix.com/topic/404394-ssonsvrexe-and-fas/


The virtual smartcard logon will only result in a TGT on the VDA and thus allow users to authenticate to 2nd hops only using Kerberos. Which basically brings us back to the same issues we had with Kerberos Passthrough when a backend was only able to handle NTLM, or the user for. ex. used an IP with missing rDNS instead of DNS resolvable name and the user account would get locked out (besides not being able to access it).

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...