Jump to content
Welcome to our new Citrix community!
  • 0

FAS Passthrough (SSO) authentication failing for published apps

Derek Benak


I have users logging into a published desktop, from there, they have a few published applications running from other servers in the domain. When the application is launched, they get "user name or password incorrect" and are than prompted to login. If they login the application works fine.


This has been an issue since we implemented FAS

I have checked the FAS server setup. The storefront servers are listed as authorized in the rule and all users and VDAs are allowed

The GPO is set to point to the FAS server and applied to the published desktops and application servers. I verified the setting is present in the registry

RDS setting "Always prompt for password upon connection" is disabled.

No FAS errors are observed in the logs.

The Store on the storefront server that FAS is setup for (the published desktop) has been configured for FASClaimsFactory and FASLogonDataProvider


Edit: We are using certificate based authentication if that helps


I feel like I am missing something in the configuration. Any suggestions where to look next are appreciated.


Link to comment

3 answers to this question

Recommended Posts

  • 0

could it be that a certificate in the FAS certificate chain is not trusted by your domain controller?

I had a similar issue in the past, where the CA issuing the FAS certificate was not added to NTauth trusted store on the DC

Link to comment
  • 0
On 7/6/2023 at 1:35 PM, Derek Benak said:

Turns out this is how it works in a double hop situation. I would need to enable FAS for all my storefronts to make it work the way I am hoping for.


Can you elaborate on what you mean by this. I have your original problem listed to a T. I have two stores on my StoreFront server - one for Desktops and one for Apps. I have FAS enabled on my Apps store. Are you saying FAS would need enabled on the Desktop store as well to work? 


I can launch the published app outside of a double hop scenario with FAS just fine.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...