On Prem || FAS 2402 LTSR || FAS with intune certificate

On Prem || FAS 2402 LTSR || FAS with intune certificate

book

Article ID: CTX693045

calendar_today

Updated On:

Description

Impacts and limitations of FAS with Intune certificate


Instructions

The integration of Citrix Federated Authentication Service (FAS) with Microsoft Intune involves specific configurations and considerations, particularly regarding certificate management and authentication processes. Here are the key points regarding FAS and Intune:

 

Known Limitations

 

Issue with Intune Management: When the Citrix FAS server is powered on and a user signs into Citrix Virtual Desktop Infrastructure (VDI) in Azure through an ICA session, Microsoft Intune may display a warning indicating that the machine is not Microsoft Intune Managed. This warning disappears when the FAS server is powered off. This behavior is a known limitation between Citrix FAS and Azure Active Directory (Azure AD) .

 

Symptoms

 

Warning Message: Users may see a warning in Windows Settings under Accounts > Access work or school, indicating that the machine is not managed by Microsoft Intune when the FAS server is active.

 

Recommended Solution

 

Configure Azure AD Certificate-Based Authentication: To resolve the issue, it is recommended to configure Azure AD to use certificate-based authentication. This setup allows the primary refresh token (PRT) to be generated upon user logon, which is essential for proper integration with Intune and Azure AD resources.

 

Problem Cause

 

The issue arises because the affected VDI is Hybrid Azure AD joined. When users log on to the VDI through Citrix FAS, the Azure AD primary refresh token (PRT) is not generated due to the certificate-based nature of FAS authentication. This limitation affects single sign-on (SSO) capabilities to Azure AD resources and impacts Microsoft Intune.

 

Summary

 

To ensure proper functionality of Citrix FAS with Microsoft Intune, it is crucial to configure Azure AD for certificate-based authentication. This will help in generating the necessary tokens for seamless user experience and management.

Additional Information

http://docs.citrix.com/en-us/citrix-daas/install-configure/machine-identities/hybrid-azure-active-directory-joined#limitations

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication