Citrix Workloads in Azure – FAS and Primary Refresh Token (PRT)

by Uddave Jajoo, Indianapolis CUGC Leader

Customers are inclining towards migrating their On-Prem AD joined workloads to Azure. With this practice in common, customers often run into issues where the Seamless SSO does not work properly on their hybrid join devices. This blog will guide you through how these configurations impact the device join status in Azure AD and how to effectively make SSO work with the Azure Native provision workloads.

  • What is Primary Refresh Token?
  • Configure FAS in Citrix Cloud
  • Configuration on Azure AD
  • Supported Platforms

Overview

Enterprises are frequently moving from traditionally-based authentication to modern authentication across their applications. That’s why app modernization is a technique followed by each and every enterprise nowadays, when planning to migrate their apps to cloud and adapt to the modern authentication protocols.

Microsoft announced public preview of Azure AD Certificate-Based Authentication in February 2022, which would enable the support for Windows logon and Single Sign-On (SSO) to Azure AD applications and resources. When it comes to sign-in to the user desktops, it could also be utilized as one of the authentication methods by integrating it with FAS. Primary refresh token is one of the key attributes that is being transferred within the user session to enable SSO to Azure AD apps and resources. In a real time scenario, when using on-prem AD, PRT token gets issued based on the device joining status in Azure AD and gets manipulated accordingly within the session. This token is responsible to dictate the authentication state for the user session.

What is Primary Refresh Token?

Primary Refresh Token
A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices.

Microsoft recommends using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.

With the missing PRT token on the user device, it breaks the SSO process for users to connect to any federated enterprise apps/O365 Apps, that are integrated with Azure MFA, which forces them to enter the user ID and credentials every time they connect to the apps.

To determine the AzureADPRT Token value, run the below command on the client device in a command prompt – dsregcmd /status

Output – Example on Native Azure MCS provisioned desktop confirming the PRT Token set to YES
| SSO State |

            AzureAdPrt : YES
  AzureAdPrtUpdateTime : 2022-11-29 19:40:39.000 UTC
  AzureAdPrtExpiryTime : 2022-12-13 19:40:38.000 UTC

Configure FAS in Citrix Cloud

Follow the Citrix docs for successful installation and configuration of FAS in your environment. It’s a pretty straightforward guide on how to configure FAS and configure to the resource location in Citrix Cloud console.

Install and Configure FAS

Install FAS Servers, Point to PKI servers for publishing the User certificates on logon and add to resource location.

Configuration on Azure AD

Follow the instructions outlined in the MS guide – Azure Certificated Based Authentication

  • Configure at least one certification authority (CA) and any intermediate certification authorities in Azure Active Directory.
  • The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.
  • Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs. Its needed to ensure Azure AD is able to perform CRL check, otherwise the revocation of user certificates will not work and authentication will not be blocked.
  • Configure the Certificate-based authentication Authentication method in your Azure Active Directory Security menu – Configure the Certificate Authorities in Azure Security Portal
  • Join your clients and your Citrix VDA’s into Azure AD or a hybrid environment (hybrid join).

Identify the Device Type is Azure AD or Hybrid Join- Reference Table Below: Troubleshoot Devices by DSREGCMD command

AzureAdJoinedEnterpriseJoinedDomainJoinedDevice state
YESNONOAzure AD Joined
NONOYESDomain Joined
YESNOYESHybrid AD Joined
NOYESYESOn-premises DRS Joined

Device State

Sample Device State Output

+———————————————————————-+
| Device State |
+———————————————————————-+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : HYBRIDADFS
+———————————————————————-+

Supported Platforms

Before configuring device identities in Azure AD for your VDI environment, familiarize yourself with the supported scenarios. The table below illustrates which provisioning scenarios are supported. Provisioning in this context implies that an administrator can configure device identities at scale without requiring any end-user interaction.

Note – If your Identity infrastructure is Managed then Non Persistent workloads are not supported with Hybrid Azure AD Joined as Device type. Currently Its only supported with Federated Identity Infrastructure, and Microsoft is still evaluating internally how to make it work successfully with the Managed infrastructure as well.

Device identity typeIdentity infrastructureWindows devicesVDI platform versionSupported
Hybrid Azure AD joinedFederated3Windows current and Windows down-levelPersistentYes
Windows currentNon-PersistentYes
Windows down-levelNon-PersistentYes
Managed4Windows current and Windows down-levelPersistentYes
Windows currentNon-PersistentNo
Windows down-levelNon-PersistentYes
Azure AD joinedFederatedWindows currentPersistentLimited
Non-PersistentNo
ManagedWindows currentPersistentLimited
Non-PersistentNo
Azure AD registeredFederated/ManagedWindows current/Windows down-levelPersistent/Non-PersistentNot Applicable

Reference:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started

See more posts by Uddave Jajoo here.

Not a member of CUGC? Join today so you don’t miss out!

Leave a Reply