New FAS implementation SSO to VDA not working

Richard Harris1709162968 · February 14

I followed the Carl's blog
https://www.carlstalhood.com/citrix-federated-authentication-service-saml

Though instead of doing SAML with Azure/Entra we're doing SAML with Duo.

The login to the URL going to the Citrix vServer on the netscaler works, and we're able to launch the VDA's but the VDA's then prompt for a username and password.

I've already checked the Duo KB's that Carl linked and ensured the EnableSmartCards reg is set to 1, WrapSmartCards is set to 0, and ProvidersWhitelist has the CitrixMirrorCredentialProvider GUID with brackets populated. To rule it out I even uninstalled Duo for windows logon at one point to test.

On the CA I see FAS is requesting the smartcard certs, and confirmed the various event ID's are showing up with the sole exception being 204.

The Netscaler is on 13.0-92.21_nc_64

The FAS, StoreFront, Delivery Controller, and the VDA I'm focusing my testing on are on 2311.

The only error I'm seeing is the attached image.

I'm not sure which log I need to look at since that might point me in the right direction.

Sjoerd Van den Nieuwenhof · February 15

Hi,

You don't see any events in the eventviewer?

Take a look here:

https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/troubleshoot-logon.html

Richard Harris1709162968 · February 15

2 hours ago, Sjoerd Van den Nieuwenhof said:

Hi,

You don't see any events in the eventviewer?

Take a look here:

https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/troubleshoot-logon.html

I'll check through the info in that KB, thanks, I thought I had looked at some of it before, but just incase.

Richard Harris1709162968 · February 15

5 hours ago, Richard Harris1709162968 said:

I'll check through the info in that KB, thanks, I thought I had looked at some of it before, but just incase.

I checked the logs mentioned and didn't see anything that stood out.

It seems like the VDA is just not requesting the smartcard from the FAS.

Richard Harris1709162968 · February 15

BTW all of my testing so far is on a W2022 multi-user VDA, as it's not used much though all of the other more used VDA's are win10.

Sjoerd Van den Nieuwenhof · February 16

Hi,

Maybe you already checked this, but did you have a GPO applied to the VDA AND the FAS servers that they need to use FAS?

https://docs.citrix.com/en-us/federated-authentication-service/current-release/install-configure#configure-group-policy

Please check if the GPO is applied correctly in the registry: HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses

Do you see user certificates on the CA?

If that's not the case, please try to create a certificate using PowerShell: https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/ca-configuration#fas-server below is a example for just one user.

Add-PSSnapin Citrix.A*
$rule = "default" # rule/role in your FAS admin console
$users = sjoerd@lab.newyard.online # test users
foreach ( $user in $users )
{
    $server = Get-FasServerForUser -UserPrincipalNames $user
    if( $server.Server -ne $NULL) {
        New-FasUserCertificate -Address $server.Server -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
    if( $server.Failover -ne $NULL) {
        New-FasUserCertificate -Address $server.Failover -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
}

Let me know the results.

Mike_B · February 16

Reading that message carefully, it says 'no valid certificates found in this smartcard'. To me, that suggests that is is requested the cert from the FAS server (hence the 'found in this smartcard' bit), but the certificate that has been issued by Duo is not valid for login to a Windows computer.

Richard Harris1709162968 · February 16

7 hours ago, Sjoerd Van den Nieuwenhof said:
Hi,

Maybe you already checked this, but did you have a GPO applied to the VDA AND the FAS servers that they need to use FAS?

https://docs.citrix.com/en-us/federated-authentication-service/current-release/install-configure#configure-group-policy

Please check if the GPO is applied correctly in the registry: HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses

Do you see user certificates on the CA?

If that's not the case, please try to create a certificate using PowerShell: https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/ca-configuration#fas-server below is a example for just one user.
Add-PSSnapin Citrix.A*
$rule = "default" # rule/role in your FAS admin console
$users = sjoerd@lab.newyard.online # test users
foreach ( $user in $users )
{
    $server = Get-FasServerForUser -UserPrincipalNames $user
    if( $server.Server -ne $NULL) {
        New-FasUserCertificate -Address $server.Server -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
    if( $server.Failover -ne $NULL) {
        New-FasUserCertificate -Address $server.Failover -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
}
Let me know the results.

Yes I created the GPO to set the FAS server addresses.
The GPO is applying to the StoreFront servers, Delivery Controllers, FAS server, and all VDA's.
I confirmed on the VDA I'm experimenting with that the registry setting is there.

It's a single domain environment, and the FAS rule is set to allow all domain users for the user part, and all domain computers to the VDA part.

Yes on the CA I see the certs being generated.

I checked both
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses]

And

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\Authentication\UserCredentialService\Addresses]

Richard Harris1709162968 · February 16

2 hours ago, Michael Burnstead1709159565 said:

Reading that message carefully, it says 'no valid certificates found in this smartcard'. To me, that suggests that is is requested the cert from the FAS server (hence the 'found in this smartcard' bit), but the certificate that has been issued by Duo is not valid for login to a Windows computer.

AFAIK Duo isn't issuing a cert, and as a test I at one point uninstalled Duo for the VDA and it didn't make any difference.

Richard Harris1709162968 · February 19

Well I found that that error was a red herring, the YubiKey I use to sign into my laptop was getting passed through to the VDI, so I'm seeing two SmartCard entries one says insert smartcard the other is the one I put the screenshot of above.

Richard Harris1709162968 · February 23

Well now I think I have egg on my face, I had set a GPO to set fPromptForPassword to 0, but seems there was another GPO setting it to 1.

Found the issue and it's working now.

After more testing that only resolved it for the multi-user VDA, the single user VDA's (the more used in this environment) is still prompting for password.

Richard Harris1709162968 · March 12

Well the Single user VDA's still aren't SSO'ing in, but the Multi-USER vda is.

New FAS implementation SSO to VDA not working

Question

Link to comment

11 answers to this question

Recommended Posts

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Link to comment

Create an account or sign in to comment

Create an account

Sign in