Users cannot access Domain resources (like Network shares, Internal websites, Applications which need Domain/Windows authentication) after 5 minutes of logon. Users can access Domain resources soon after they logon, but if they try to access any new resource after 5 minutes, it fails or prompts for Credentials. Users can connect to some of the resources after entering credentials, but it defeats the purpose of using FAS.

FAS 107 events are logged on the VDA continuously at this point, along with Kerberos errors if Kerberos logging is enabled.

Configure Advyza to stop Active Directory data discovery. It can be disabled by setting "Admin Console -> System -> Organisation Settings -> Discover -> Discover Active Directory (AD) data on the CLIENTs every" to 0 minutes.

---

Problem Cause

If Advyza is installed on the VDAs, it purges the Kerberos tickets (it runs klist purge) whenever it tries to discover AD data. If Kerberos tickets are purged, Users cannot access Domain resources and they need to get a new Kerbero ticket for that. FAS certificate is valid only for 5 minutes from Logon, and FAS is designed (for Security) to deny any further requests for the Certificate. So, the FAS 107 events are expected if Kerberos tickets are purged.

Error: Event ID 107 Citrix.Authentication.IdentityAssertion. User loses access to mapped network drives after they reconnect to disconnected session
Federated Authentication Service | Secure (citrix.com)