Jump to content
Welcome to our new Citrix community!
  • 0

New FAS implementation SSO to VDA not working


Question

I followed the Carl's blog
https://www.carlstalhood.com/citrix-federated-authentication-service-saml

Though instead of doing SAML with Azure/Entra we're doing SAML with Duo.

The login to the URL going to the Citrix vServer on the netscaler works, and we're able to launch the VDA's but the VDA's then prompt for a username and password.

I've already checked the Duo KB's that Carl linked and ensured the EnableSmartCards reg is set to 1, WrapSmartCards is set to 0, and ProvidersWhitelist has the CitrixMirrorCredentialProvider GUID with brackets populated.  To rule it out I even uninstalled Duo for windows logon at one point to test.

 

On the CA I see FAS is requesting the smartcard certs, and confirmed the various event ID's are showing up with the sole exception being 204.

The Netscaler is on 13.0-92.21_nc_64

The FAS, StoreFront, Delivery Controller, and the VDA I'm focusing my testing on are on 2311.

The only error I'm seeing is the attached image.

 

I'm not sure which log I need to look at since that might point me in the right direction.

 

SmartCard-Error.png

Link to comment

11 answers to this question

Recommended Posts

  • 0

Hi,

 

Maybe you already checked this, but did you have a GPO applied to the VDA AND the FAS servers that they need to use FAS?

https://docs.citrix.com/en-us/federated-authentication-service/current-release/install-configure#configure-group-policy

Please check if the GPO is applied correctly in the registry: HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses

 

Do you see user certificates on the CA?

If that's not the case, please try to create a certificate using PowerShell: https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/ca-configuration#fas-server below is a example for just one user. 

Add-PSSnapin Citrix.A*
$rule = "default" # rule/role in your FAS admin console
$users = sjoerd@lab.newyard.online # test users
foreach ( $user in $users )
{
    $server = Get-FasServerForUser -UserPrincipalNames $user
    if( $server.Server -ne $NULL) {
        New-FasUserCertificate -Address $server.Server -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
    if( $server.Failover -ne $NULL) {
        New-FasUserCertificate -Address $server.Failover -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
}

 

Let me know the results.

Link to comment
  • 0

Reading that message carefully, it says 'no valid certificates found in this smartcard'.  To me, that suggests that is is requested the cert from the FAS server (hence the 'found in this smartcard' bit), but the certificate that has been issued by Duo is not valid for login to a Windows computer.

Link to comment
  • 0
7 hours ago, Sjoerd Van den Nieuwenhof said:

Hi,

 

Maybe you already checked this, but did you have a GPO applied to the VDA AND the FAS servers that they need to use FAS?

https://docs.citrix.com/en-us/federated-authentication-service/current-release/install-configure#configure-group-policy

Please check if the GPO is applied correctly in the registry: HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses

 

Do you see user certificates on the CA?

If that's not the case, please try to create a certificate using PowerShell: https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/ca-configuration#fas-server below is a example for just one user. 

Add-PSSnapin Citrix.A*
$rule = "default" # rule/role in your FAS admin console
$users = sjoerd@lab.newyard.online # test users
foreach ( $user in $users )
{
    $server = Get-FasServerForUser -UserPrincipalNames $user
    if( $server.Server -ne $NULL) {
        New-FasUserCertificate -Address $server.Server -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
    if( $server.Failover -ne $NULL) {
        New-FasUserCertificate -Address $server.Failover -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
}

 

Let me know the results.

Yes I created the GPO to set the FAS server addresses.
The GPO is applying to the StoreFront servers, Delivery Controllers, FAS server, and all VDA's.
I confirmed on the VDA I'm experimenting with that the registry setting is there.

It's a single domain environment, and the FAS rule is set to allow all domain users for the user part, and all domain computers to the VDA part.

 

Yes on the CA I see the certs being generated.

I checked both
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses]

And

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix\Authentication\UserCredentialService\Addresses]

Link to comment
  • 0
2 hours ago, Michael Burnstead1709159565 said:

Reading that message carefully, it says 'no valid certificates found in this smartcard'.  To me, that suggests that is is requested the cert from the FAS server (hence the 'found in this smartcard' bit), but the certificate that has been issued by Duo is not valid for login to a Windows computer.

AFAIK Duo isn't issuing a cert, and as a test I at one point uninstalled Duo for the VDA and it didn't make any difference.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...