Recently a customer of mine had a task for me to solve. "Can we authenticate against Netscaler Gateway with just username and a security token from a nondomain joined client and get access to a full Citrix ICA session?" The customer wants the employees to work password free and the reason they use SmartCards in-house with all domain-joined clients. The company clients have no problem connecting externally to the corporate network but what about the private clients? For that reason, only users get a security token and that's it. In the past, users had to use at least one time a password against Webinterface and save it.
Here comes Citrix Federated Authentication Service to rescue!
In my opinion, this is a good example and I guess a lot of other Citrix customer have the same or similar request. Before I get back to use cases let's have a look how the Citrix Federated Authentication Service works.
Citrix Federated Authentication Service
Let's keep things simple for better understanding. FAS is a Windows service that can issue smart card class certificates (vSmartCards) on behalf of AD users. Therefore, the service needs to be authorized by the private certificate authority (CA). The Federated Authentication Service primarily interacts with Citrix StoreFront whereas other components are also involved like Netscaler, DDC and VDA but are not as important as StoreFront. The created vSmartCard is then sent down to the target VDA, like the NFuse ticket in the old days. Since FAS is holding all private keys for created vSmartCards, it must be secured with limited access from administrators.
FAS is part of the XenApp/XenDesktop Media since 7.9. The deployment of FAS is quite easy if administrative rights are used, especially with the private CA. Don't use a server with Citrix components nor a server that uses port 80 like IIS. Just run the setup and use defaults what basically installed a Windows service and a basic console. Open the FAS console as administrator (runas) otherwise, it will fail. You will have three tasks that you need to fulfil.
- Upload (import) certificate templates to CA
- add certificates to CA and
- authorize FAS server to create certificates that need to be approved on the CA server.
1 and 2 are done remotely but should work just fine.
All three tasks are "green", then you need to set a Microsoft group policy for FAS, that defines the FAS server FQDN and session settings. This policy needs to be applied to VDA, DDC and the FAS itself. You cannot continue with FAS until the policy is set and if for any reason a system is missing the policy you get the following error in the event log:
No User Credential Service configured. Apply the "Citrix User Credential Service Group" Policy Object
User rules / ACL
Mainly you must set the Security Access Control List and by default, all computers are denied for StoreFront and VDA's. You must add specifically the computers that need to be allowed and remove any deny. It doesn't work, if you have denied all computers but allowed the DDC. That's all, you are done.
This is the tricky part now because things are not fully documented for any use case. You will find the basic concept or architecture for some cases in the Citrix eDocs (https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-14/secure/federated-authentication-service/fas-architectures.html), like using ADFS for a B2B solution and other but not exact details on how to configure components like Netscaler or StoreFront. There is only one thing for sure, the user must login using the User Principal Name (UPN) otherwise FAS cannot create vSmartCards.
StoreFront FAS Plug-In
At the moment you cannot enable FAS in StoreFront console and must be done by PoSh. I advise creating your own "FAS" store. In the PoSh commands, you apply it to the Citrix/FasAuth path. This modifies the web.conf file in that folder and will be replicated in a StoreFront cluster. Here the PoSh commands for a store called FAS:
& “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1”
$siteId = 1
$storeVirtualPath = “/Citrix/FAS”
$authenticationVirtualPath = “/Citrix/FASAuth”
# Use FAS
Set-DSClaimFactoryName –siteId $siteId –virtualPath $authenticationVirtualPath –factoryName “FASClaimsFactory”
Set-DSVdaLogonDataProviderName –SiteId $siteId –VirtualPath $storeVirtualPath –VdaLogonDataProviderName “FASLogonDataProvider”
FAS common use cases
There are very different scenarios possible and can become quite complex but all cases are to get access to a full Citrix ICA session. That brings me back where I started but isn't necessarily the first use case.
What I see as the first use case is the simple domain pass-through with StoreFront. When you enable domain pass-through in StoreFront, it's just for Receiver for Web (RfW) and not for the target VDA. Therefore, you must install the local Receiver as administrator to get the SSO registered. Next, you need to configure SSO via group policy and at the end, it might still not work because of other loaded credential providers.
With FAS, just forget the SSO part of Receiver! No admin installation, no Receiver configuration for SSO! Keep in mind, this requires a domain joined client and RfW in the intranet zone of Internet Explorer.
Back to the token only use case and I think also a good example for FAS. Let's assume everybody in the company works with SmartCards and don't know their AD password. When employees want to work from home, not using a domain joined client, how can I enable the user to work from home or anywhere without the need for a password? Using a token authentication with UPN as the username is all you need with FAS! This will give employees a seamless yet secure experience in- and outside of the company.
FAS will and should be further developed by Citrix and I mean not only FAS itself but more important the FAS integration with StoreFront and Netscaler. StoreFront needs better frontend error messages and FAS as an authentication option in the console. Netscaler needs also a FAS profile option for the SSO part. FAS console should get a facelift and better error message, tracing and logging capabilities.
Besides that, FAS works very stable and easy to configure. Identity management is a big thing and FAS is a bridge to give users access to a full Citrix XenApp / XenDesktop session.
Thanks go to Andrew Innes (FAS) and his team as well to Simon Frost (StoreFront)