Citrix FAS - Why do I need it?

So, my customers often ask me why I need Citrix FAS when I'm trying to decrease the number of servers I manage when going from Citrix On-Prem to Citrix Cloud.

Simply put, you don't need it unless you use a 3rd-party authentication solution that Windows will not recognize. This includes Entra ID. 

Federated Authentication Service (FAS) allows Windows to not prompt the user when the desktop launches for additional credentials. FAS uses a smart card like certificate to log the user on using the credentials they have already specified. FAS works for both on-prem and Citrix Cloud environments. So looking to implement Entra ID and MFA for your users? Then FAS will help that really awful pain point that you will discover when you've turned it on but start getting Windows prompts stating you entered bad credentials.

So what do you need to start?

  • At least two servers running the FAS software
  • Best practices, you should have a two-tier PKI environment in place
    • one Offline Root
    • one Online Sub
  • Run the FAS wizard to configure your PKI to work with FAS
    • Deploy the Certificate Templates
    • Set up the Certificate Authorities
    • Authorize FAS to use the CAs
    • Configure the rules
    • Connect FAS to the Cloud if needed
  • Install the FAS ADMX and ADML files on your DCs
  • Create a GPO at the root of your Citrix OU so that all Citrix machines receive the FAS information.
  • Add the FAS servers to the list of FAS servers
  • If you are using on-prem Storefront, then you will need to configure your Storefront to work with FAS.
    • Run this script to enable FAS on the Storefront server. 
    • Modify the variable $StoreVirtualPath to reflect the organizations true store name.
    • Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module $StoreVirtualPath = "/Citrix/Store" $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory" Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

After you have completed the above and your FAS is showing all steps as Green, then you can proceed to testing successful logins using your third party authentication solution. Happ

at No comments:
Subscribe to: Posts (Atom)

Citrix Workspace Single Sign On Woes

 In today's world, your security team is probably constantly pushing for settings to secure the environment. This may come from any vend...

  • XPS Printers causing log off to fail on Windows 2019
    Built a new 2019 server. Installed the same software as the 2016 Server. Users log on but do not successfully log off. You try uninstalling ...
  • LTSR Woes
    Don't stop upgrading... I have noticed over time that many organizations are picking LTSR and forgetting to upgrade. I have updated quit...