by Uddave Jajoo, Indianapolis CUGC Leader
Contents:
- Introduction to FAS
- Configure FAS
- Configure FAS locally on VDA
Introduction to FAS
FAS is one of the new components developed by Citrix, to allow users to authenticate seamlessly in their Citrix environment by interacting with Active Directory Certificate Authority (CA). I would like to keep it short in this blog just talking about how to implement FAS on your Citrix VDAs.
Detailed explanation on the architecture and how it works could be referred here – Citrix FAS Architecture
Configure FAS
Follow the Citrix docs for successful installation and configuration of FAS in your environment, its pretty straightforward guide on how to configure FAS and configure to the resource location in Citrix Cloud console.
Install FAS Servers, point to PKI servers for publishing the User certificates on logon and add to resource location.
Configure FAS Locally on VDA
Post installation of FAS servers, admins need to make some changes locally on the VDA to successfully allow authentication of users using smart card logon. Implement the group policy on VDA which would point to the location of FAS servers added to the respective resource location. There are different ways to implement this setting on the VDA.
Using Group Policy – Follow Configure Group Policy
Local Registry Edit – Open registry on VDA and run the below script to implement the FAS server entries.
$Address1 and $Address2 would be the value of the FAS Servers with FQDN
Example – $Address1-FASserver1.udjajoo.com $Address2=FASServer2.udjajoo.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New-Item -Path "HKLM:\Software\Policies\Citrix" -Name "Authentication" -Force
New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication" -Name "UserCredentialService" -Force
New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService" -Name "Addresses" -Force
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address1 -Value $Address1
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address2 -Value $Address2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
With this registry key configuration on the VDA, admins would be easily able to point to the required FAS Servers to specific resource location. In case of multiple resource locations (Different regional Domains) and different FAS Servers tied to each resource location use the below script function to run locally on VDA, this script block could be integrated to your Post image build scripts and executed remotely to persistent VDAs.
$DomainName = (Get-WmiObject Win32_ComputerSystem).domain.Split(".")[0]
Function Config-FASServer(){
Try
{
Write-host "Setting WEM server for the machine based on its domain" -foregroundcolor magenta
switch($DomainName){
"Z3" {$Address1 = "Z3FASServer1.z3.udjajoo.com"
$Address2 = "Z3FASServer1.z3.udjajoo.com"
$Address3 = "Z2FASServer1.z2.udjajoo.com"
$Address4 = "Z2FASServer2.z2.udjajoo.com"
$Address5 = "Z1FASServer1.z1.udjajoo.com"
$Address6 = "Z1FASServer2.z1.udjajoo.com"}
"Z2" {$Address1 = "Z2FASServer1.z2.udjajoo.com"
$Address2 = "Z2FASServer2.z2.udjajoo.com"
$Address3 = "Z1FASserver1.z1.udjajoo.com"
$Address4 = "Z1FASserver2.z1.udjajoo.com"
$Address5 = "Z3FASServer1.z3.udjajoo.com"
$Address6 = "Z3FASServer2.z3.udjajoo.com"}
Default {$Address1 = "Z1FASserver1.z1.udjajoo.com"
$Address2 = "Z1FASserver2.z1.udjajoo.com"
$Address3 = "Z2FASServer1.z2.udjajoo.com"
$Address4 = "Z2FASServer2.z2.udjajoo.com"
$Address5 = "Z3FASServer1.z3.udjajoo.com"
$Address6 = "Z3FASServer2.z3.udjajoo.com"}
}
New-Item -Path "HKLM:\Software\Policies\Citrix" -Name "Authentication" -Force
New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication" -Name "UserCredentialService" -Force
New-Item -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService" -Name "Addresses" -Force
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address1 -Value $Address1
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address2 -Value $Address2
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address3 -Value $Address3
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address4 -Value $Address4
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address5 -Value $Address5
Set-ItemProperty -Path "HKLM:\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses" -Name Address6 -Value $Address6
}
catch{
"An error occurred: $_" | Out-File $CTXResealLog -append; Continue
Write-Host "An error occurred: $_ `n`r" -foregroundcolor red
}
}
Config-FASServer
Nice hat trick