Citrix Fixes and Known Issues – Federated Authentication Service

A list containing the majority of Citrix Federated Authentication Service support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.

The page is updated daily with new support articles and information. Articles will change from time and if information here is outdated or incorrect please let me know using the comments. Links may also expire or change so if you find broken links, please again let me know. For each issue, known product versions affected are recorded however that does not mean product versions that aren’t listed are not affected.

There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.

Federated Authentication Service:


wdt_ID Brief Description of Issue Brief Description of Fix Applicable Product Versions Affected (if known) Link to supplemental Support Article(s)
1 The Citrix FAS manual authorisation request does not reach the Certificate Authority server. WireShark traces show the FAS server throwing an error "nca_s_fault_access_denied". DCOM security settings for the Issuing Certificate Service had not been updated. You must manually run three commands to rectify. XenDesktop 7.9 to 7.15. https://support.citrix.com/article/CTX225236
2 An application launch results in a failure with error "Cannot Start App" after enabling FAS. On StoreFront Event ID 28 is logged and on the FAS server Event ID 123 is logged. Deauthorise the FAS service using the FAS configuration console and then authorise the FAS service again. This is recommended after a change to the Certificate Auhtority server that FAS is pointed towards. StoreFront 3.9 to 3.11. https://support.citrix.com/article/CTX224802
3 Users from one domain cannot obtain a FAS user certificate from another domain. Event Viewer on StoreFront contains events with message "Error: Citrix.Authentication.FederatedAuthenticationService Error 102". Add the StoreFront, FAS and VDA servers from one domain to the other domain's "Windows Authorization Access Group". https://support.citrix.com/article/CTX220497
4 When launching the Citrix FAS Configuration console, upon selecting a FAS server and clicking OK you receive error "Error connecting to servername. One or more errors occurred". Do not use CNAME or A records pointing to a name different than the FQDN of the FAS server.
5 Application launches fail with "Cannot start app". Event ID 28 is logged on the StoreFront servers which states "An unknown error occurred interacting with the Federated Authentication Service". If you have created a new FAS User Rule, check the User Rule configured within FAS has been pushed out to StoreFront servers via Group Policy. https://support.citrix.com/article/CTX229160
6 When installing FAS you receive a "Installation of MSI File 'FederatedAuthenticationService_x64.msi' failed with 'InstallFailure' (1603)". This happens when you install an older version of FAS on a server which already holds a newer StoreFront role. You should install FAS on dedicated servers.
7 After clicking on Start on Step 3 "Authorize this Service" from the FAS Configuration console you receive a "Status: Failed to Issue certificate: Code 2" error and the Certificate Authority server reports that the request was "Denied by Policy Module". Edit the "Citrix_RegistrationAuthority_ManualAuthorization" certificate template and change the "Validity period" to 2 days and the "Renewal period" to 1 days. Retry Step 3.
8 A lot of pending requests appear on your certificate authority server for certificates using the "Citrix_RegistrationAuthority_ManualAuthorization" and "Citrix_RegistrationAuthority" templates. Remove "Domain Computers" from the permissions list of each template. https://support.citrix.com/article/CTX237503
9 With FAS and SAML authentication configured, launching an application or desktop results in error "Cannot start app". The StoreFront server shows event ID 28 "Could not contact any Federated Authentication Servers". This issue is caused by StoreFront servers being unable to resolve the FAS server's hostname. https://support.citrix.com/article/CTX237741
10 After logging on to a VDA using FAS, the VDA will crash exactly 10 hours after the initial logon. In this environment, Kerberos tickets had a renew time of 10 hours (default is 7 days), but the session was in a disconnected state. As a result, VDAs were losing access to FSLogix profile disks causing the VDA to crash. The FSLogix configuration was changed so that machine account authentication was used rather than user account authentication. https://discussions.citrix.com/topic/400863-citrix-fas-and-event-id-107/


Leave a Reply