Citrix FAS based authentication causes Azure AD Seamless SSO to fail within the VDA sesssion

[Terry Rebstein]

We are trying to solve an issue where users who log into a VDA via a FAS based authentication are unable to properly leverage Azure AD based SSO (Activate Office, Browse O365 portal in IE etc). Users can log in directly via RDP, Console or via a non-FAS based storefront site and everything works ok. Anyone have any tips on resolving this? We have already enabled the FAS GPO option for making the certificates available within the session without a prompt.

 

 

[Terry Rebstein]

Microsoft and Citrix (eventually) both came back and said it will not work in an Azure Native model. To achieve this we would require an ADFS server to support Azure Seamless SSO and smartcard/certificate based authentication.

[Dmitrij Lejkin1709155074]

On 11/22/2019 at 4:37 AM, Shane Hogan1709159600 said:

Hi Terry

In J 2021 we have the exact same issue when using FAS authentication for Office365 authentication. ☹

Do you have a support case number I can reference for ours if you haven't.
Do I have to open an MS case?

Do you have a solution or workaround?
Many thanks

Dima

+ 1 

[Christopher Luton]

Following....

 

I also have the same issue and have been on a dozen calls with Microsoft and Citrix to no avail.  No PRT while using FAS with AD Connect while running multi-session Windows 10 machines in Azure.  Without ADFS.  SSO works fine in RDP and on physical machines; just not in Citrix.  Surely there's a solution to enable SSO within a Citrix session.

[Ganesh Raju]

Are they any event errors on StoreFront and FAS server? if so, what are they?

[Terry Rebstein]

No errors in those logs. Currently working with MSFT and Citrix support as the issue seems to be how Azure seamless SSO fails to handle authentication based on certificates.

 

[Shane Hogan1709159600]

Hi trebste315

 

We have the exact same issue when using FAS authentication for Office365 authentication. Did you receive a response from Citrix/Microsoft?

 

Do you have a support case number I can reference for ours if you haven't.

 

Many thanks

Shane  

[Christopher Yue]

Has anyone got an update on this?

 

Spoke to my reseller with regards to migration to Citrix Cloud.

 

Rumour has it that if Azure AD is used for authentication, there will be no need for Citrix FAS.

 

Possibly by the end of this year.

[Ben Grinsted]

Likewise a problem. Our support engineer said that this has a known issue and provided no information as to a fix being available.

[Erno Alanen1709160612]

Any news regarding PRT based SSO and logon with FAS?

[Jens Klappenbach]

I am searching for a solution quite a while. Its not easy to describe the point to citrix support.
What is good alternative to FAS in this case? 

[Kevin Coenen1709159865]

Are their any updates regarding this issue?

[Maximilian Dietz]

Hi, 

 

we're facing the same issue... 

 

Are there any updates on this? 

 

BR

[Robert Berggren1709162216]

Seriously...?! Have been troubleshooting this for many hours just to find this. No solution yet?

[Julian Jakob]

You get a PRT when using azure ad certificate-based authentication (currently in public preview) but it's only working with Windows 11 Insider Preview Build, at the moment. MS will backport the functionality for Windows 10 and Server OS later this year (no ETA confirmed) see my post about some details https://www.julianjakob.com/citrix-fas-azure-ad-cba-with-primary-refresh-token-prt/ 

The other workaround is to federate your domain with OnPrem ADFS and connect your ADFS to Azure MFA. This is also supported and generates a PRT.

I know, both methods aren't the best, yet... 

Edit: There is also another method, using local credentials for pushing SSO, but you have to use native Workspace App and the clients have to be domain-joined. See https://citrixie.wordpress.com/2022/07/04/citrix-workspace-azure-ad-sso-access-to-vda-desktops-and-apps-without-fas/ 

[Rene Bigler]

as a workaround you can also implement Azure Active Directory Seamless Single Sign-On: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

[Robert Berggren1709162216]

3 hours ago, Rene Bigler said:

as a workaround you can also implement Azure Active Directory Seamless Single Sign-On: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

But this is what we have if I'm not mistaken. It started working as soon as I removed FAS settings from the store. We have Password Hash Synch with SSO and the site in intranet sites and so on. 

[Daniel Nozik]

On 9/19/2022 at 1:59 PM, Robert Berggren1709162216 said:

But this is what we have if I'm not mistaken. It started working as soon as I removed FAS settings from the store. We have Password Hash Synch with SSO and the site in intranet sites and so on. 

can you elaborate on your comment from this post? "But this is what we have if I'm not mistaken. It started working as soon as I removed FAS settings from the store. We have Password Hash Synch with SSO and the site in intranet sites and so on."

Do you have office sso working now? Not sure what you meant by removing FAS from store?

[UDDAVE JAJOO]

Are you using Non persistent VDAs in your environment. If you want this to be working, you will possibly need to include below registry keys on the client side. Either it be persistent or non-persistent.

and before Implementing these registry keys, please do confirm that Seamless SSO is enabled within your tenant. Below are the registry keys for your reference: -

Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Learn - Group policy Detailed Steps

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List. (This is enabled in console)

Value name: The Azure AD URL where the Kerberos tickets are forwarded.

Value (Data): 1 indicates the Intranet zone.

The result looks like this:

Value name: https://autologon.microsoftazuread-sso.com

Value (Data): 1

 

 

Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script

After enabling the below settings on the client side, I was successfully able to authenticate using Seamless SSO feature enabled at the tenant level.

 

[Daniel Nozik]

@UDDAVE JAJOO

Non-Persistent, seamless sso is enabled using PHS and those regkeys have been set.

m365 still prompts. We've been at a loss of what to do for months. 

[Gina Lampasas-Kelley]

I recently experienced the same issue and found by adding the following registry key it allowed office app logins from Citrix with FAS.  Apparently, the certificates from FAS are not being handed over because the server determines Azure AD to be "internet" and not "intranet".

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"AuthServerAllowlist"="\"https://autologon.microsoftazuread-sso.com\""

[Cathy Leik]

I have certificate based authentication enabled in Azure and the onprem Root Certificate and Intermediate Certificate uploaded there so Azure trusts the FAS certificate and SSO to O365 apps work from non persistent and persistent Citrix VDAs.