by Wendy Gay, Citrix
This is a feature that I have been waiting to test and play with for a while now, and it has arrived in private tech preview. It allows users of the Citrix Workspace Experience, using Federated Authentication Service, access to Citrix VDA resources with Azure Azure AD credentials. Federated Authentication Service (FAS) has been available since 7.9 and has been integrated with on-premises Citrix ADC and Citrix Storefront for SAML authentication since then. Let’s take a look at the use cases for Federated Authentication Service. This service allows contractors, partners and other users who need access to resources on your network in a controlled way with Azure AD or Okta credentials. FAS uses “Shadow Accounts” that will allow users access to resources using the UPN, First Name, and Last Name on a matching shadow account in AD. FAS ensures the end-user never needs to know the password for that AD account on your network. Let’s take a look at this new feature of Citrix Cloud and check out the new Workspace experience.
What is Federated Authentication Service?
Here is an explanation of Federated Authenticated Service from the Citrix website: “The Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is commonly used as an alternative to traditional Windows user accounts on the Internet.” If you are interested in how to install FAS and set it up from scratch using Citrix ADC and Citrix Storefront, then please see this article for more details. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/federated-authentication-service.html. In this article, I am focusing on the Citrix Cloud FAS installation.
What’s new in Citrix Cloud?
Up until now, it was not possible to use Federated Authentication Service with Citrix Workspace Experience. I am pleased to say that this is now possible and is in tech preview. So what does Federated Authentication Service (FAS) do, and why is it important for a better end-user experience? FAS will allow users to make use of authentication methods such as Azure AD and OKTA within Citrix Workspace Experience. The end-user can now use Azure AD authentication to login into the Workspace and have that pass all the way through to the VDA session. This means that users now get a seamless authentication process all the way through to a launched desktop with Azure credentials! I think this is awesome for user experience. If an admin were to setup Azure AD Authentication for Citrix Workspace experience and not use our new FAS service with Citrix Cloud, end users are prompted for and Active Directory login when they attempt to launch a desktop. This would leave users with a less than optimal experience and not what we want for our end users.
How do we set up FAS?
In the resource location, we need the following machines
- Active Directory Certificate Services (MS Certificates Server)
- FAS Server (with Private Tech Preview of FAS installed)
- Virtual Desktop Agent (to test the launch process.
- Active Directory Domain Controller.
- Azure AD Sync to Azure AD
In Citrix Cloud
- Enable Citrix FAS
- Configure the Azure AD Authentication for the Citrix Workspace Experience.
Step 1: Citrix Cloud Setup
Let’s set our authentication method to Azure AD for Subscribers. This will allow our end-users to login onto the Citrix Workspace with Azure AD credentials. We can do this by choosing Identity and Access Management.

Choose Azure Active Directory as the Workspace Authentication method following the instructions, and you can see at the bottom that you can enable FAS.

STEP 2: In the Resource Location
Log into the FAS Server in the Resource Location and Install the FAS service. (I used the private tech preview, thanks to Oscar Day.) I installed the “Federated AuthenticationService_x64.msi” on a clean install of 2016 Server with .Net Framework 4.8 installed.

Click “install” and begin the installation of the FAS service, accepting the defaults. Open the new FAS console to see the configuration requirements for FAS. I installed and set up Microsoft Certificate services in advance in order to use with the FAS setup.
I set up the Certificate Templates, configured the Certificate Authority, and Authorized the service (you will see a pending request to authorize on the Certificate Server). Once deploy, Setup and Authorize steps are completed and have a green tick against them, we are ready to check out the new option “connect to Citrix Cloud.”

Now let’s get on to the interesting part. Click Connect on Connect to Citrix Cloud Option and select Sign in to Citrix Cloud. This is important for connecting your resource location FAS server to your Citrix Cloud Tenant.

Choose your customer and choose the resource location (you can have multiple customers and resource locations).

You should see that you are successfully authenticated.

Choose a rule, or accept the default rule. Following the default options, checking the radio buttons when required.

Click Finish.

The status should now say “Connected to the cloud and working” (this is a great place to check for any errors).
If you check in your resources location, you should now see a FAS server showing up as below.

Choose your resource location. Check the FAS server count is 1.

Step 3: Group Policy Settings
Group Policy Settings
We now need to import the ADMX and ADML files found in the install folder of the FAS server into AD Group Policy. These files are stored in the policy definitions folder. Upload them into AD.

Create a Group Policy Object (once the ADMX’s have been imported) and configure the GPO with the following settings:

Add the Federated Authentication Service in the DNS values. Run a gp udpate /force on the VDA before testing.

Step 4: User Experience
So, after all the configuration is complete! Let’s see the result. I setup Azure MFA with my Azure AD authentication also. I log into the workspace and I am prompted for my Azure AD Credentials.

I enter my password and then enter my verification code.

I double click on my Windows Virtual Desktop and I have access to my desktop resources, without using AD credentials, or any additional authentication.

I think that is pretty good for our end-user experience. In my next blog, I am going to talk about how I can use Azure AD to SSO onto my Citrix Files using Azure AD.
Check it out on Twitter https://twitter.com/Wendy_Gay1/status/1152500199249666048
[…] to a VDI in Azure without any re-authentication using Azure AD. Here it is if you missed it: https://blogs.mycugc.org/2019/07/23/citrix-cloud-citrix-workspace-experience-and-federated-authentic… I wanted to follow on from that blog and show you how to access the Citrix Files application on the […]