This message was deleted.

you will be able to launch and login, but you will need to auth a "second time" at the windows login screen. With FAS enabled, only need to auth when logging into storefront / workspace app / cloud gateway (pick yours)

well, i shut the servers down and it didn't prompt me to login again after clicking on the published application

Others can correct me, but we use FAS because our auth method to Citrix is AzureAD. So without FAS running there is no authentication ticket. If you're still using AD auth generally, then FAS won't really do anything for you.

You only need FAS when using a SAML based Authentication like AzureAD for example.

aah

The secret is in the name. Federated means that you are using an authentication authority that is not inherently trusted by the default authority, like if you had AD Domain and/or Forests that have trusts in place. Federated allows access to resources without establishing those trusts

You aren't dumb - FAS and federation and SAML are just a royal pain and a nightmare to deal with. If you do SAML, the credentials are never passed directly to storefront to send to the VDA, hence the FAS generates an auth cert. Federation keys are also a key target for threat actors.

If FAS is enabled on the storefront store and no FAS servers are available users will not be able to launch resources. They will get an error "Cannot start APP/DESKTOP" and an error is logged on the SF that says "The Federated Authentication Server at: FASERVER generated an exception for method AssertIdentity. The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state."