An issue has been identified in Citrix Federated Authentication Service (FAS) which causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). 

This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration. 

Certificates that were generated using the following versions of Citrix Federated Authentication Service are affected by this issue: 

• Citrix Federated Authentication Service 7.17 - 10.6 

These versions of FAS are included as part of Citrix Virtual Apps and Desktops 2106, and below, and XenApp / XenDesktop 7.17, and above. 

Note that it is the version of FAS that was installed when the certificate was generated which determines if the deployment is affected and not the currently installed version.  

Customers can determine if the registration authority certificate's private key is currently being stored in the TPM by using the following PowerShell commands and reviewing the output: 

Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1
Get-FasAuthorizationCertificate -FullCertInfo -Address localhost

The PrivateKeyProvider field will be set to Microsoft Platform Crypto Provider if the registration authority certificate's private key is stored in the TPM.

Instructions

The issue has been addressed in the following versions of Citrix Federated Authentication Service:

• Citrix Federated Authentication Service 10.7 and later versions 
• Citrix Federated Authentication Service 7.24.4000 and later versions of 7.24 
   

These versions of FAS are included as part of the following versions of Citrix Virtual Apps and Desktops: 

• Citrix Virtual Apps and Desktops 2109 and later versions
• Citrix Virtual Apps and Desktops 1912 LTSR CU4 and later CU updates  

Citrix recommends that affected customers assess the risk to their environments and, if appropriate, create a new registration authority certificate with the private key stored in the TPM. This can be done by either using the FAS administration console or by updating to a fixed version and then using the PowerShell commands. Installation instructions are available under configuration scenario example 2 at https://docs.citrix.com/en-us/federated-authentication-service/config-manage/private-key-protection.html.