This explained the smartcard logon not working when using the existing environment because an requirement for smartcard logon is that the “NTAuthCertificates” store has the issuing certificate authority propagated. Use Registry Editor at your own risk. When a VDA needs to authenticate a user, it connects to the FAS and redeems the ticket. Citrix_RegistrationAuthority_ManualAuthorization – This template is used to authorise FAS servers. So next up we decided to repoint the Citrix FAS servers to the existing Microsoft ADCS server to root out any chain or other issues that might be in play. After adding the certificate and waiting for replication and a reboot everything was working as expected, also when moving to the new Microsoft ADCS environment for certificate issuing. The result was exactly the same and a not supported request as the end result. Ok we got confirmation and yes it indeed does work when using the new ADCS servers but the issue of the original ADCS environment was still a mystery. To verify that the goals would be reached I first set-up Citrix FAS into my own (demo)environment, followed by a production environment on the customer infrastructure. Azure AD Sync must be in place; Full single sign-on to the VDA requires FAS With this information a Microsoft support case was created and ultimately they confirmed that what is mentioned in the Citrix support article should do the trick. Citrix_RegistrationAuthority – This template is used to generate the certificate request for users. When Authorizing the FAS, it is going to query the following Active Directory partition to get the Certificate Authority Server Information to enroll the certificate. So…. . If you think you should have access to this file, please contact Customer Service for further assistance. FAS - Request not supported while launching a published Desktop with FAS. LICENSING, RENEWAL, OR GENERAL ACCOUNT ISSUES, Created: See CTX218941 FAS – Request not supported. Citrix FAS server unable to issue certificate to the users , i got this logs from FAS event viewer server ” Fas server failed to issue a certificate for UPN : [email protected] for details check microsoft CA ” , CA log ” Active Directory Certificate Services denied request … Citrix_RegistrationAuthority_ManualAuthorization This template will be used for creating the initial certificate signing request for the Citrix FAS server. Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy:XXXXXXXXX. 12. I reached out to my learned colleagues on slack and Mads Petersen was able to give me the answer to my question. The request is valid for 24 hours and needs to be manual approved by a CA administrator. {{articleFormattedModifiedDate}}, Please verify reCAPTCHA and press "Submit" button. / The request is not supported: The domain controller cannot be contacted, or the domain controller has not been configured with a certificate to support Smart Card authentication. The item you are trying to access is restricted and requires additional permissions! Two-way trusts are a must in this setup not just for FAS, but for RDS License CAL issuance as well I should note; one-way trusts are a non-starter. By default the Microsoft certificate authority uses DCOM for access. View all posts by hheres, Notes from the presentations: Modern authentication glued together with Microsoft, Citrix and VMware, Notes from the field: VMware Horizon Instant Clone and Imprivata OneSign, https://support.citrix.com/article/CTX218941, https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store, https://support.microsoft.com/en-za/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio, Notes from the lab: Bye Bye VMware View Composer, Notes from the field: Citrix StoreFront forcing connections through Citrix Gateway, Notes from the field: Citrix FAS request not supported. Citrix recommends installing the FAS on a server that does not contain other Citrix components. This is recommended after a change to the Certificate Auhtority server that FAS is … You will see the request from FAS. So next up we decided to repoint the Citrix FAS servers to the existing Microsoft ADCS server to root out any chain or other issues that might be in play. On a recent Citrix FAS deployment I’ve encountered the following error: “Request not supported” when logging in to a published application or desktop. See the following screenshot of the Enterprise PKI snap in MMC in which you can check and/or add the missing certificate: See the following articles for extra information: On the Microsoft certificate authority, open the DCOM configuration panel and edit the properties of the “CertSrv Request” DCOM application: Change the “Endpoints” to select a static endpoint and specify a TCP port number (900 in the graphic above). We tried re-enrolling the domain controller authentication certificate and this didn’t do the trick, then we decided to let the Domain Controllers get the certificate from the new dedicated Microsoft ADCS servers for Citrix FAS and this did do the trick but with a side effect the chain is changed and other services would be negatively impacted so a rollback was needed. Article | | ... Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. For one of my customers I needed to set-up a Citrix FAS environment for using SAML authentication to achieve a single username and password (and providing this information once). Pre-reqs: Azure account has to be a global administrator. to load featured products content, Please Deauthorise the FAS service using the FAS configuration console and then authorise the FAS service again. The Federated Authentication Service is supported on Windows servers (Windows Server 2008 R2 or later). If it does not exist, StoreFront is looking for a user rule called “default.” If it is configured, it is looking for a user rule matching the data value of the key. Just right click on it, All Tasks > Issue. https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store This can result in complexities when implementing firewall security, so Microsoft has a provision to switch to a static TCP port. Your credentials could not be verified. From a design/security perspective it was designed that two dedicated Microsoft ADCS servers would be used and two Citrix FAS servers connecting these new servers. The result was exactly the same and a not supported request as the end result. Configure the SAML IdP. Using Citrix FAS (Federated ... open up the Certficate Authority console and go to the Pending Requests folder. The setup was working as expected but only above error would keep coming when trying to access an application or desktop. The system could not log you on. So next up we decided to repoint the Citrix FAS servers to the existing Microsoft ADCS server to root out any chain or other issues that might be in play. The result was exactly the same and a not supported request as the end result. You typically start the configuration on the Identity Provider (IdP). This is usually worth trying, even when the existing certificates appear to be valid. The result was exactly the same and a not supported request as the end result. StoreFront needs to be configured with HTTPS. Digging deeper in the Microsoft ADCS environment it was after checking the “NTAuthCertificates” store that the existing server wasn’t there and the new servers were. Click OK. On StoreFront Event ID 28 is logged and on the FAS server Event ID 123 is logged. Trusted StoreFront servers contact the FAS when users request access to the Citrix environment. Citrix Federated Authentication Service (FAS) enables users to log in to Citrix Gateway and Citrix StoreFront using SAML authentication. try again The request is not supported: Re-enroll the “Domain Controller” and “Domain Controller Authentication” certificates on the domain controller, as described in CTX206156. Article https://support.citrix.com/article/CTX218941 explains that re-enrollment of the domain controller authentication template or another custom template for Kerberos usage should resolve the error. Unable to Authorize the FAS service, fails with the error "The Request Channel Timed out while waiting for a reply after 00:01:00" . Failed The system could not log you on. CRTSRV_E_UNSUPPORTED_CERT_TYPE ” On the CA we could clearly see template listed on the CA and we could also see the failed enrollment. CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com. Citrix does have a blog that covers the ins and outs of this setup thankfully (which also covers integrating into selective auth trusts, which we didn’t need), and hats off to Roger for writing it up in such detail. The FAS grants a ticket that allows a single Citrix Virtual Apps or Citrix Virtual Desktops session to authenticate with a certificate for that session. Be sure to back up the registry before you edit it. {{articleFormattedCreatedDate}}, Modified: With SAML, Citrix Gateway and StoreFront do not have access to the user’s password and thus cannot perform single sign-on to the VDA. https://support.microsoft.com/en-za/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio, IT Pro / Geek “The SAML authentication request property ‘Subject’ is not supported and must not be set.” If I tested the SAML authentication without NFactor it worked absolutely fine. Restart the Microsoft certificate authority and submit a certificate re… The Windows Server should be secured. whats the problem? it’s a great article, we are using FAS on prim with citrix cloud, authentication works fine but can not launch any o365 application because we do have conditional access policy on azure to check whether the request is from domain joined machine or not but if i disable this policy then everything works fine, is there any possibilities to use FAS with azure with conditional access policy. When installing the Citrix FAS service we are going to deploy three certificate templates. Citrix_SmartcardLogon – This template is used to issue certificates to users. When Authorizing the FAS, it is going to query the following Active Directory partition to get the Certificate Authority Server Information to enroll the certificate. A little bit of a background on the environment, an already working Microsoft ADCS environment was in play and in use for other services. So next up we decided to repoint the Citrix FAS servers to the existing Microsoft ADCS server to root out any chain or other issues that might be in play. ... I’ve also run into issues before where I was getting a “Request Not Supported” message when trying to launch something in StoreFront. Note that the SP does not have access to the user’s password and thus that’s why we need Citrix FAS to generate certificates for each user. On the FAS server(s), validate that the configured user rule matches what is configured on StoreFront in the FAS console User Rules tab as shown below: