When we try launching application or desktop with FAS configured in the StoreFront, we get an error "The username or password is incorrect".

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Export user certificate from FAS server

Open Powershell as administrator on the FAS Server and run:
asnp Citrix*
Get-FasUserCertificate -Userprincipalname 'User@domain' -Address 'FAS_SERVER_FQDN' | Out-File 'c:\Certname.cer'

Validate the user certificate by copying the certificate from the FAS server (exported above or exported directly from CA) to the VDA where the application are published. If the CRL check fails because if you are not able to access the CRL path from the VDA, all the certificate in the certificate chain should be validated. 

To verify the the certificate validation, run the below command on the VDA from an elevated command prompt.

Certutil -urlfetch -verify "name of the user certificate" > Certname.txt

The output will look like something below.

----------------  Certificate AIA  ----------------

 Wrong Issuer "Certificate (0)" Time: 0

 [0.0] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (1)" Time: 0

[0.1] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Failed "AIA" Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/Root.lab.com_lab-ROOT-CA.crt

----------------  Certificate CDP  ----------------

Expired "Base CRL (01)" Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Failed "CDP" Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/lab-ROOT-CA.crl
 

• As you see in the above sample output, all of the CDP paths of the certificate have an issue and for AIA only the LDAP path is verified.
• Even if one of the paths ( File, LDAP or http) for CDP and AIA is verified you can ignore the rest of the failures.
• If you are seeing errors and failures with the all the paths, we need to fix the issue with the CDP and AIA paths of the CA.
• Once all the above issue with the certificate is fixed, make sure the from the VDA server you are able to access the LDAP and Http path for CDP and AIA.
• If the CDP and AIA paths are not accessible from the VDA server, the FAS authentication will fail.

Problem Cause

The issue can be caused if one of the certificate in the certificate chain (Root, Issuing or user) is not performing the CRL check or if it failing the CRL check or if the CRL check is not happening only from the VDA where the applications are published. 

When we try launching application or desktop with FAS configured in the StoreFront, we get an error "The username or password is incorrect"