The goal of the integration with Citrix FAS is to use Citrix Virtual SmartCard allowing double hop scenario.
The integration is done on Veridium RA level. Veridium RA has a option newly not to talk directly to Microsoft CA, but integrate Citrix FAS service. Citrix FAS is than enrolling certificate into a Citrix Virtual SmartCard and citrix is available in the session for secondary authentications.
Initial Logon / Reconnect scenario:
Unlock scenario (using Veridium RA connected to Citrix FAS):
Setup details:
-
Follow Citrix FAS installation guide to set up FAS: Federated Authentication Service | Secure.
Enable FAS using a powershell script for your authentication store. -
Install Veridium RA version 3.2.4 or newer. Provide standard configuration and open C:\Program Files\VeridiumID\RAEPServer\RaWebApp\Web.Config file. Modify the web.config the following way:
<add key="fasCertificateIssuer" value="true" />
<add key="fasCustomPickAssembly" value="" />
<add key="fasCustomPickType" value="" />
<add key="fasCustomPickMethod" value="" />
<add key="fasCertificateRule" value="default" /> -
Make sure that initial logon/disconnect reconnect works and also double hop scenario works.
-
Try to lock VDI and unlock it using Credential Provider. Following event will be visible on Veridium RA:
{
"Module": "VeridiumRA",
"Method": "POST:api/BopsCertificate",
"UPN": ";MSKSP",
"EVENT_SOURCE": "VeridiumRA",
"ThreadID": 25,
"Messages": [
{
"variable": "Info",
"value": "ValidateTokenRequest - Check Identity token format JSON"
},
{
"variable": "Info",
"value": "ValidateTokenRequest - Identity token format is JWT"
},
{
"variable": "upnValidated",
"value": "milos@dev.local"
},
{
"variable": "Info",
"value": "Picked FAS server dev-dc2.dev.local"
},
{
"variable": "Info",
"value": "Receiving user handler AKs4m1NhCLZTsnMFfnFKGieMD5yp0Qu"
}
],
"TimeProfile": [],
"InputParameters": [
{
"variable": "request.bopsUpn",
"value": ";MSKSP"
},
{
"variable": "request.bopsToken",
"value": "eyJ...3Xhg"
}
],
"Return": {
"ReturnCode": 0,
"NativeReturnCode": 0,
"Text": "Info",
"Description": "Certificate for user milos@dev.local successfully enrolled",
"Details": ""
},
"ActivityStartTime": "2023-01-04T14:54:57.2140738+02:00",
"ActivityEndTime": "2023-01-04T14:55:00.0040078+02:00",
"Duration": 2789
} -
Check that double hop scenario is also working after Credential Provider unlock.