This message was deleted.

afaik the seamless sso is just kerberos expanded to aad, with PH/PTA - Azure AD Connect: Seamless Single Sign-On - Microsoft Entra | Microsoft Learn and FAS is needed if you don't use a username/password alignment because SAML is there from a NetScaler perspective. I must admit if SAML in play and then no FAS and seamless SSO is working then this sounds like a nice setup without the FAS hassle for the customer.

Seamless SSO and PRT are different things so just be aware of that. FAS is using Certificate based Auth with only a username and the cert is your password essential. Kerberos tickets are granted based on that Auth passing. Seamless SSO allows Kerberos tickets obtained to be provided for sso on office products. The dsregcmd command should give you your current state on the machine. Also you will want to look at the Azure Active Directory blade on Azure and see you AD Connect status and what's enabled. Those two things should help you see how it is configured right now.

Thanks Leee, I'm aware of these things but exactly that's the reason why I'm this confused within the mentioned citrix article, I think it's just a bad description

Agreed

Yeah, I don't think it makes sense. It's not clarifying what you are signing into too and is a little vague.

Oh just wait for that AES hardening phase 5 from MS, so many customers that don’t know what the impact will be

Yup, 100%.