Lilys Dad

So for the last 6 months of using Citrix Cloud StoreFront and testing it out with our EntraID Join only devices, I had just two apps that wouldn’t be Single SignOn throughout and have here and there went through troubleshooting and even had our Citrix Support try and help.

But over the Christmas break decided it was time to sit down without interruptions to look at the issue and see if I could crack it.

The Issue:

• From both Workspace App and Cloud Storefront, clicking on two applications would always prompt for credentials

The Troubleshooting

• Lets launch the app and stop at the credential prompt
  
• Looking in Web Manager console no session was found
  
• On the Virtual Desktop Application (VDA) server no session was found.
  
• Looking in the event logs on the VDA server couldn’t see a certificate checkout
  
• Working backwards there was no request on the Citrix Federations Services (FAS) server
  
• Grab a certificate manually from FAS, copied across to the VDA server and ran a certificate verification:
  • Get Certificate
    New-FasUserCertificate -Address <FAS server host> -UserPrincipalName <UPN of End User> -CertificateDefinition <rule name>_definition -rule <rule name>
    
  • Get All Certs
    $CitrixFasAddress=(Get-FasServer)[0].Address
Get-FasUserCertificate
    
    So the server can get a user certificate from the FAS server and we can look up certificates. This proves that the server can talk and use the FAS server.
    
• Contacting Citrix Support they suggested a permissions error on the certificates hmmmm
  
• Launching from the on-prem Citrix StoreFront server it would request and obtain a certificate

Now that is interesting isnt it. Lets have a look at the application configuration in Citrix Cloud

From here I noticed that the two applications in question were in a different Zone from all the other applications

Lets go look at the Zone config – and hey look at that.

Zone 1 configured with a FAS Server

oh Zone 2 doesn’t have a FAS server configured. Thats interesting! What zone are the two affected apps. oh look at that Zone 2.

The Result

Now two decisions:

• Add FAS server to Zone two
• Move Applications to Zone one

We ended up moving the applications over to Zone 1 as everything to do with our Citrix published applications are all in the same zone so there is no benefit to keeping a Zone 2.

Once the applications were moved the seamless single sign on worked perfectly and I could see the certificates being requested and obtained

Whats Next

• We are going to be removing the redundant Zone 2 to simplify our environment
• Go back to Citrix and mention the fix we found on our way that the support engineer did not check or suggest to look at.