Deployment Guide: Citrix Federated Authentication Service and Sectigo MS Agent

Overview

Sectigo Certificate Manager (SCM) is a universal platform purpose-built to issue and manage the lifecycles of digital certificates. SCM secures every user and machine identity across your enterprise, all from a single interface.
With SCM, you can automate the issuance and management of Sectigo certificates alongside certificates from other publicly trusted Certificate Authorities (CAs) and private CAs, including Microsoft ADCS, Google Cloud Platform (GCP), and AWS Cloud Services.

For certificate discovery and enrollment, Sectigo MS agents are installed on Active Directory servers. SCM uses MS agents to do the following:

• Discover Certificates - An agent installed on a domain-joined Windows server can discover assets such as web servers, domains, and certificates in Active Directory.
• Proxy MS Enrollment Protocols to SCM - An agent installed on a domain-joined Windows server can act as a proxy to issue private and public certificates by using MS AD certificate templates mapped to SCM certificate profiles.

As a redundancy measure, SCM enables you to create clusters of MS agents installed on different servers to act as a single agent. If any agent fails, the other agents in the cluster seamlessly continue certificate discovery and enrollment.

Citrix Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card.
This allows StoreFront to use a broader range of authentication options, such as Security Assertion Markup Language (SAML) assertions. SAML is commonly used as an alternative to traditional Windows user accounts on the Internet.

Architecture Diagram

Installation

Prerequisites

• A Microsoft Windows Server 2019 or Microsoft Windows Server 2022.
• An Active Directory Domain Controller (DC).
• An Active Sectigo Certificate Manager Account (SCM)
  • An organization created in SCM.
  • Private CA back-end enabled.
  • MS Agent enabled.
• A Sectigo MS Agent installed on the Active Directory DC or a Domain Server.
• It is recommended that when configuring Citrix FAS, the rule is called default and not something arbitrary, as this is what Citrix Cloud will use to contact the Citrix FAS server.
• The Sectigo CA certificate must be trusted by the Domain Controller (the CA that will be generating the end-user certificates must be trusted by the domain in which those certificates use. As described in this article).

MS Agent Installation

An administrator with the Master Registration Authority Officer (MRAO) role can manage MS agents using the Integrations > MS Agents page on SCM.

Refer to the Sectigo Certificate Manager Administrator’s Guide for the MS Agent installation requirements.

Citrix FAS Installation

For security, Citrix recommends installing the Federated Authentication Service (FAS) on a dedicated server secured to a Domain Controller or Certificate Authority. Citrix FAS can be installed from either:

• The Citrix Virtual Apps and Desktops installer (from the Federated Authentication Service button on the autorun splash screen when the ISO is inserted), or
• A Stand-alone FAS installer file available as an MSI file on Citrix Downloads

Citrix FAS Configuration with MS Agent

Citrix FAS Administration Console:

• You must be running as a Domain User who is a Local Administrator. You have to select Run as administrator, depending on your Windows settings.
• Many steps here can be performed from the Citrix FAS administration console. This is a simple GUI that is sufficient for most customers' needs. It is typically installed at C:\Program Files\Citrix\Federated Authentication Service\fasadminconsole.exe
• The Citrix FAS Console polls the Citrix FAS servers every 2 seconds to obtain its latest configuration; it can be helpful to leave the Citrix FAS Administration console open even when using PowerShell cmdlets.

NOTE: The first two steps in the Citrix FAS Administration console which involve communication with AD, are only updated if you click Refresh in the top right.

1. Deploy Certificate Templates. Select Deploy to deploy the following three certificate templates to AD:

   • Citrix_RegistrationAuthority_ManualAuthorization
   • Citrix_RegistrationAuthority
   • Citrix_SmartcardLogon

2. Set up a Certificate Authority. This template requires the CA administrator's approval.

   • Navigate to Server Manager > Tools > Certificate Authority > Certificate Templates > Manage > Citrix_RegistrationAuthority_ManualAuthorization.
   • Check CA Certificate Manager Approval and Click OK.

   

   Once FAS obtains a certificate with this template, it immediately uses it as an authorization to request a certificate with Citrix_RegistrationAuthority. The Citrix_RegisrationAuthority_ManualAuthorization certificate is then deleted. This two-stage authorization flow is intended to support the automatic renewal of the RA certificate, but this feature still must be implemented. Citrix_RegistrationAuthority is the RA certificate template that authorizes Citrix FAS to act as an RA.

   It has the following Extended Key Usage:

   

3. Configure Citrix_SmartcardLogon

   • Citrix FAS uses this template to generate user certificates "on-the-fly" so that Citrix FAS can perform a single sign-on for the user.

   • Its issuance requirements specify an RA certificate as an authorization.

     

   • The templates can be customized, and it's also possible to configure Citrix FAS with an RA certificate without using the following templates.

     

Disabling AD Integration

By default, the Citrix_SmartcardLogon template instructs the CA to query AD to populate fields in the certificate. However, Citrix FAS supplies enough information in the certificate request that it's possible to change this setting to Supply in the request. This way, the CA would not need to query AD.

NOTE: FAS does not read the templates.

• When creating a certificate request, the template's name is part of the request.
• However, FAS does not read the templates. For example, the key length to use is part of FAS's configuration. FAS does not read the minimum key size from the template.

Authorize this service

To configure FAS with an RA certificate:

1. From the Citrix FAS Administration Console click Authorize.

Note: To remove an authorization click Deauthorize.

1. The CA administrator approves the request by going to Server Manager > Tools > Certification Authority > Pending. FAS polls the CA awaiting a response, and the FAS admin console shows a spinner while the request is still pending.

2. The CA Administrator right-clicks the pending request and selects Approve to issue the RA certificate.

3. The Citrix FAS Administration Console shows the service as Authorized.

Create a Rule

Once you have configured FAS with an RA certificate, complete the rest of the FAS configuration.

1. Click Create.

2. Follow along with the install wizard; for most screens, click Next.

   • When prompted, provide the following:
     • The template (Citrix_SmartcardLogon) that FAS uses to request user certificates.
     • The CAs FAS contacts to request a user certificate.

   

   Now the Citrix FAS is fully integrated with the MS Agent for certificate issuance.

   

MS AD certificate template mapping on SCM for Citrix templates

Before issuing a certificate, ensure the Citrix_SmartcardLogon, Domain Controller, and Domain Controller authentication templates are mapped to an SCM certificate profile on your SCM account.

Create MS AD certificate template mapping

To create the MS AD certificate template mapping between an SCM certificate profile and an MS AD template:

1. On SCM, navigate to Enrollment > MS AD Certificate Template Mapping.

2. Click Add (+).

3. Complete the Add MS AD Certificate Template Mapping dialog referring to the following table.

   

4. Click Save.

   

User Certificate Creation

PowerShell Cmdlet is used to manage Citrix FAS and Certificate Creation.

1. Set up PowerShell Cmdlet. Open a PowerShell Command, Windows as Administrator, and run the following command:

   Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 $CitrixFasAddress=[Get-FasServer](0).Address

2. Set up FAS Authentication on Active Directory

   • After you install FAS, you must specify the fully qualified domain names (FQDNs) of the FAS servers in Group Policy using the Group Policy templates provided in the installation. https://docs.citrix.com/en-us/federated-authentication-service/current-release/install-configure.html#configure-group-policy

3. Command to enroll the certificate. The SCM Certificate template requires a User Principal Name (UPN) for the client certificate. Set the UPN for the user in AD Example: 'admin@wwco.net'

4. Run the following PowerShell command to enroll a user certificate:

   Test-FasCertificateSigningRequest -UserPrincipalName "<admin@wwco.net>" -Rule default

   You can view the certificate from the SCM Dashboard:

   

5. To view the certificate's details, navigate to Certificates > Client Certificates, and select View > Chain of Trust.

   

References

• Citrix Federated Authentication Service Product Documentation
• Sectigo Certificate Manager Administrator’s Guide
• Citrix FAS Third-Party CA Integration Guide