Citrix FAS CA root domain

[Björn Schläfli]

Our CA is installed in the root domain. Today certificates are published by CES (Certificate Enrollment Server). I've installed FAS in child domain, which has a two-way trust to the root domain. In FAS admin console the button publish and authorize are greyed out, as FAS is unable to find the CA. Is it possible to configure and make it work in this construct or do we have to install a separate issueing CA in the child domain, where the FAS server is a member?

[Aldric]

as far as I know, FAS and CA must resides on the same forest, but it is not mandatory to be in the same domain. Therefore your design should be ok.

you say you have CES - be aware you need AD CS role. You have to publish the RA certificate template to authorize the FAS server and the template should have the enroll permissions for the FAS server computer account.

[Björn Schläfli]

I've configured the NTAuth store with the correct certificate and configured Read and Allowed to authenticate on DC OU for the issuing CA server (which besides should not be necessary with forest-wide trust as we have in our test environment). The Publish button is still greyed out "No certificate authorities were found".

certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS has been set.

The root certificate of the child domain exists in the root domain.

 

[Aldric]

assuming that you are using a microsoft PKI and that you have deployed the FAS template, maybe you can review the permissions to your user\FAS server.

Check this: https://support.citrix.com/article/CTX310627/set-up-a-certificate-authority-shows-access-denied-in-fas-admin-console

[Björn Schläfli]

Fixed it. Our CA admin used this article https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff961506(v=ws.10)