Jump to content
Welcome to our new Citrix community!
  • 0

Is an internal Microsoft certificate authority is a must?

Golan Nave1709152881



Good morning all,

I am currently doing some internal testing to lavage Citrix ADC with Azure multi-factor authentication.

I have managed to config the ADC with Azure as the SAMLid and can log in to storefront and lunch a Desktop/App. The issue is a am seeing a windows domain login after the app/desktop launched. 

My understanding is that the only way to resolve this is deploy FAS to tie in the SAML and internal authentication.

In all the Citrix documentation, I see that an internal Microsoft CA is a must for this solution to work.

Over the years, I tried to avoid deploying an internal CA for apparent reason. 

The question now, is an internal CA is a must for FAS to work? Is there a different way to leverage Azure MFA with Citrix ADC?

Any issue pitfalls I should be aware of? 

Stay Safe.

Link to comment

2 answers to this question

Recommended Posts

  • 1

Citrix FAS programmatically uses the Enterprise CA to generate smart card certificates for each user that logs in. The Domain Controllers trust the certificates generated by the Enterprise CA. I don't think FAS can use any other type of CA. https://docs.citrix.com/en-us/federated-authentication-service/config-manage/ca-configuration.html


When installing Microsoft CA, you can remove all Certificate Templates except the ones that FAS requires. Just make sure the Domain Controllers also have certificates.

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...