Launching an application or desktop fails when StoreFront is configured for FAS.  The FAS servers have been successfully configured and authorized with a valid Microsoft Certificate Authority.  Authentication and enumeration are successful against this StoreFront Store with FAS enabled and launching applications or desktops works if FAS is disabled for the Store. 

Issue 1 Error: Users are presented with “Cannot start app” error, similar to what is shown in the following screenshot.

There are no errors on the FAS server(s) and a warning is logged to the StoreFront server(s) from the Citrix Store Service with Event ID 28, Category 2001, reading “Failed to launch the resource “<Application Name>” using the XML service at address ‘??’.  An unknown error occurred interacting with the Federated Authentication Service.”  

Further down in the event text, you will see “Citrix.Authentication.UserCredentialServices.FederatedAuthenticationServerFault,…Access Denied”

Issue 2 Error: "Logon failure: unknown username or bad password 
Users can login when they enter credentials manually.

This is usually due to a mismatch between the configured FAS user rule and the user rule that StoreFront has been told about.  By default, StoreFront queries FAS for a user rule called “default” (which is the name of the built-in user rule that comes with the installation of FAS).  If you have configured a new user rule within FAS and not updated StoreFront or updated StoreFront to point to a user rule that you have not configured on FAS, you will see this error. 

To confirm, check the following registry key on the StoreFront server(s) that are configured to use FAS:

HKLM\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService

DefaultRole: REG_SZ: <name of user role>

This key will exist only if the StoreFront FAS Rule GPO setting has been configured and applied to the StoreFront servers.  If it does not exist, StoreFront is looking for a user rule called “default.”  If it is configured, it is looking for a user rule matching the data value of the key.

On the FAS server(s), validate that the configured user rule matches what is configured on StoreFront in the FAS console User Rules tab as shown below:

Either update the FAS configuration or GPO assigned to the StoreFront servers such that the user rule names match.  The assigned user rule should also have an accurate list of StoreFront servers.  Reboot StoreFront if a GPO change has to be made and re-test.