https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# citrix-vad
s
This message was deleted.
c
Have you deployed the FAS service component on prem and connected it to citrix cloud and deployed and published the FAS templates to your CA and approved the Citrix_RegsitrationAuthority pending request and created a FAS rule ? and applied the FAS gpo to your VDA's and FAS servers ?
n
yes, all that has been completed
a
Is this new or has it ever worked? Just thinking do you have Domain Controller Authentication certs on your Domain Controllers?
c
When i have seen the incorrect username or PW error with FAS previously its normally related to the cert on your Domain controller
👆
n
Its a new FAS server i just configured the other day
everything is green on the FAS server
what do you mean Cert on the domain controller
a
Yeah, it'll only really show up if you enable kerberos logging
c
check your cert on your domain controller in the personal store for local machine
a
You need to issue certs to your Domain Controllers using the "Domain Controller Authentication" certificate template
It's needed to allow AD to authenticate credentials using smart-cards
n
i don't see those steps in here https://docs.citrix.com/en-us/federated-authentication-service/install-configure.html#connect-to-citrix-cloud at all do you have the steps? can you send them to me?
c
Trust us its needed 🙂
n
can you send me a screenshot of what i should be looking for?
c
haha mine actully expired in my lab best renew it
n
i see that cert on the client DC
so thats not the issue, but thanks
c
and its issued from the domain controller cert template ?
n
i think its like that on the client DC
but he had to go so i have to check back with him at 2:30.
have to jump to another client
c
n
so the cert on the DC looks fine its issued by the correct certificate authority.
is this right...is this what it should look like
i see this event logs in systems - EventID The domain controller rejected the client certificate of user , used for smard card logon. The following error was returned from the certificate validation process:The revocation function was unable to check revocation because the revocation server was offline.
hello
anyone there?
d
n
it looks like its the certificates on the DC
what is the impact of renewing that certificate to include the smart card properties
i think i basically have to do the fix that is stated in this article
i am struggling to create the cert
where do i go to create it
i am in certificate template
figured out how to create the cert
c
Open PKIview and check your CDP/AIA locations and make sure they are not offline. If you want to publish a new certificate template you go into templates on your CA and manage and duplicate a template eg domain controller authentication (check the extended key usage and make sure it has smart card logon) on the ACL make sure your domain controllers has the enroll perms. You then publish the template "cert template to issue" and select your duplicate template. You can then enroll for the cert using that template via MMC on your domain controllers
n
thanks john, but i was able to create the correct certificate last night by selecting the kerberos cert template. so i am good from that end. I think they have an issue with their PKI. i need to determine what it is.
c
From the error from the logs you posted sounds like the CDP (CRL) and AIA is unavailable if you run PKIVIEW via CMD will confirm that or not
7 Views
Open in Slack
PreviousNext
Powered by