Jump to content
Welcome to our new Citrix community!
  • 0

VDA not requesting FAS certificate


Cathy Leik

Question

New Citrix Virtual Apps/Desktops Service setup.  OnPrem VDAs and FAS.  Login to Citrix Workspace with Azure AD credentials (OnPrem AD synced) works fine.   Launch VDA (2006) and it stops at the login screen.  No events for FAS in the VDA event log at all.  On the FAS server we see the smart card certificate has been issued to the user.  Wireshark shows no communication between VDA and FAS server during VDA login process.

 

Any ideas why the VDA would not be requesting the certificate from FAS?

Link to comment

17 answers to this question

Recommended Posts

  • 0

The first entry that seems related as it mentions the smartcard hook is shown in the attached screenshot.

 

It's followed by entries similar to below which state that revocation checking on the Citrix certificates is failing.    I saw in your documentation that you can add a registry key to force the VDA not to check revocation,, which I did but it didn't change the behavior.    I am going back to check the log again and make sure that setting stuck.  This is in a locked down DISA STIG type environment.

 

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          10/28/2020 4:03:48 PM
Event ID:      11
Task Category: Build Chain
Level:         Error
Keywords:      Path Discovery,Path Validation
User:          SYSTEM
Computer:      CXVDGEN02.Pokagon.local
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>11</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>11</Task>
    <Opcode>2</Opcode>
    <Keywords>0x4000000000000003</Keywords>
    <TimeCreated SystemTime="2020-10-28T20:03:48.060148400Z" />
    <EventRecordID>19515</EventRecordID>
    <Correlation />
    <Execution ProcessID="2192" ThreadID="4384" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>CXVDGEN02.Pokagon.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <CertGetCertificateChain>
      <Certificate fileRef="2908C28459156C754876A9233462C6581600B535.cer" subjectName="Citrix Systems, Inc." />
      <ValidationTime>2020-05-29T01:20:49Z</ValidationTime>
      <AdditionalStore>
        <Certificate fileRef="2908C28459156C754876A9233462C6581600B535.cer" subjectName="Citrix Systems, Inc." />
        <Certificate fileRef="BA3EA54D72C145D37C255E1EA40AFBC63348B96E.cer" subjectName="DigiCert Assured ID Root CA" />
        <Certificate fileRef="92C1588E85AF2201CE7915E8538B492F605B80C6.cer" subjectName="DigiCert SHA2 Assured ID Code Signing CA" />
        <Certificate fileRef="3BA63A6E4841355772DEBEF9CDCF4D5AF353A297.cer" subjectName="DigiCert SHA2 Assured ID Timestamping CA" />
        <Certificate fileRef="7B8507AD76254C782E5194C06320DE7793FBCF34.cer" subjectName="Citrix Timestamp Responder" />
      </AdditionalStore>
      <ExtendedKeyUsage>
        <Usage oid="1.3.6.1.5.5.7.3.3" name="Code Signing" />
      </ExtendedKeyUsage>
      <Flags value="A8000005" CERT_CHAIN_CACHE_END_CERT="true" CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL="true" CERT_CHAIN_REVOCATION_CHECK_CHAIN="true" CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY="true" CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT="true" />
      <ChainEngineInfo context="user" />
      <CertificateChain chainRef="{19894623-0440-46CB-904D-EB003F20EEC9}">
        <TrustStatus>
          <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
          <InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
        </TrustStatus>
        <ChainElement>
          <Certificate fileRef="2908C28459156C754876A9233462C6581600B535.cer" subjectName="Citrix Systems, Inc." />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.11" hashName="SHA256" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
          <TrustStatus>
            <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
            <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage>
            <Usage oid="1.3.6.1.5.5.7.3.3" name="Code Signing" />
          </ApplicationUsage>
          <IssuanceUsage />
          <RevocationInfo>
            <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
          </RevocationInfo>
        </ChainElement>
        <ChainElement>
          <Certificate fileRef="92C1588E85AF2201CE7915E8538B492F605B80C6.cer" subjectName="DigiCert SHA2 Assured ID Code Signing CA" />
          <SignatureAlgorithm oid="1.2.840.113549.1.1.11" hashName="SHA256" publicKeyName="RSA" />
          <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
          <TrustStatus>
            <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
            <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
          </TrustStatus>
          <ApplicationUsage>
            <Usage oid="1.3.6.1.5.5.7.3.3" name="Code Signing" />
          </ApplicationUsage>
          <IssuanceUsage>
            <Usage oid="2.16.840.1.114412.0.2.4" />
            <Usage oid="2.16.840.1.114412.3" />
          </IssuanceUsage>
          <RevocationInfo>
            <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
 

CAPI2Log1.png

Link to comment
  • 0

I've had a ticket open with Citrix support for 2 weeks and they have not figured out the issue yet.  There is no communication from the VDA to the FAS server.  I've checked that it can resolve the name, has the GPO applied for the FAS server FQDN, and can contact FAS on port 80.  Not sure what else to check.

Link to comment
  • 0
On 11/10/2020 at 5:07 AM, Cathy Leik said:

I've had a ticket open with Citrix support for 2 weeks and they have not figured out the issue yet.  There is no communication from the VDA to the FAS server.  I've checked that it can resolve the name, has the GPO applied for the FAS server FQDN, and can contact FAS on port 80.  Not sure what else to check.

Did you end up resolving this issue Cathy? I am running into the same issue and am stumped. Thanks!

Link to comment
  • 0

I have the same issue. I am using Citrix Cloud with On-Premises VDA. FAS ist configured with Citrix Cloud. FAS-GPO is configured. Login stops and asking for username and password. In my case the FAS server does not even know about the login process. I know about FAS configurations in On-Premises environments and a StoreFront configuration have to be done. But with Citrix Cloud, were should I configure the Citrix Workspace?

Link to comment
  • 0
On 10/6/2022 at 11:22 AM, Oliver Wöll said:

I have the same issue. I am using Citrix Cloud with On-Premises VDA. FAS ist configured with Citrix Cloud. FAS-GPO is configured. Login stops and asking for username and password. In my case the FAS server does not even know about the login process. I know about FAS configurations in On-Premises environments and a StoreFront configuration have to be done. But with Citrix Cloud, were should I configure the Citrix Workspace?

Did you add the FAS server in "Resource Locations" and "Workspace Configuration"?

Link to comment
  • 0
On 10/19/2022 at 10:03 PM, Martinho Hinterholz1709157929 said:

Did you add the FAS server in "Resource Locations" and "Workspace Configuration"?

Nicely spotted. I can confirm that in my case when whole FAS setup was done and it did not worked (nothing was even hitting FAS servers). Enabling "Federated Authentication Service" in [Cloud Portal] Home->Workspace Configuration->Authentication  by switching it to "FAS is enabled" resolved the issue. Everything is working fine now.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...