Jump to content
Welcome to our new Citrix community!
  • 1

Does FAS works while we install "Kerberos Authentication" certificate on Domain Controllers instead of older "Domain Controller Authentication" certificate?




We have common SAML implementation using FAS for SSO. Nothing special and that worked until we replaced CA/PKI servers by new one (because of security reasons). After that the SSO did not work (though I reauthorized and configured FAS with new CA servers).

Our whole environment is build with Citrix CVAD 1912 LTSR.

Windows platform is running on Server 2016 version.


However, what I see as an issue is that the "Domain Controller Authentication" certificate was still the old one (issued from previous CA) and therefore I initiated to replace that certificate by new one (issued from new CA). That has not been done yet.

At this point I have a question:

- all Citrix articles points to "Domain Controller Authentication" certificate (created using Domain Controller Authentication template), which is an old fashion way, also not so secure these days. Microsoft recommends to us newer template, based on Kerberos: "Kerberos Authentication".


The question is:

- will such AD certificate works with FAS integration?

- my opinion is yes as it contains SmartCard Logon extension too - that which is required for FAS. Don't have any opportunity to test it anywhere  unfortunately.


Thanks for your answer.

Link to comment

2 answers to this question

Recommended Posts

  • 0

Hi Andrej,


Did you manage to test this configuration? We are currently deploying FAS for SAML auth, but we have created a new CA for the certificate authentication of sessions. Our domain controllers have certificates issued by a different CA. However, both CA's are signed by the same offline root.


This configuration appears to match the scenario that you have outlined. Are you able to share your experience?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...