Citrix Fixes – Federated Authentication Service

A list containing the majority of Citrix Federated Authentication Service support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.

The page is updated daily with new support articles and information. Articles will change from time and if information here is outdated or incorrect please let me know using the comments. Links may also expire or change so if you find broken links, please again let me know. For each issue, known product versions affected are recorded however that does not mean product versions that aren’t listed are not affected.

There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.

Federated Authentication Service:

wdt_ID Brief Description of Issue Brief Description of Fix Applicable Product Versions Affected (if known) Link to supplemental Support Article(s)
1 The Citrix FAS manual authorisation request does not reach the Certificate Authority server. WireShark traces show the FAS server throwing an error "nca_s_fault_access_denied". DCOM security settings for the Issuing Certificate Service had not been updated. You must manually run three commands to rectify. XenDesktop 7.9 to 7.15.
2 An application launch results in a failure with error "Cannot Start App" after enabling FAS. On StoreFront Event ID 28 is logged and on the FAS server Event ID 123 is logged. Deauthorise the FAS service using the FAS configuration console and then authorise the FAS service again. This is recommended after a change to the Certificate Auhtority server that FAS is pointed towards. StoreFront 3.9 to 3.11.
3 Users from one domain cannot obtain a FAS user certificate from another domain. Event Viewer on StoreFront contains events with message "Error: Citrix.Authentication.FederatedAuthenticationService Error 102". Add the StoreFront, FAS and VDA servers from one domain to the other domain's "Windows Authorization Access Group".
4 When launching the Citrix FAS Configuration console, upon selecting a FAS server and clicking OK you receive error "Error connecting to servername. One or more errors occurred". Do not use CNAME or A records pointing to a name different than the FQDN of the FAS server.
5 Application launches fail with "Cannot start app". Event ID 28 is logged on the StoreFront servers which states "An unknown error occurred interacting with the Federated Authentication Service". If you have created a new FAS User Rule, check the User Rule configured within FAS has been pushed out to StoreFront servers via Group Policy.

Leave a Reply