Impacts and limitations of FAS with Intune certificate
The integration of Citrix Federated Authentication Service (FAS) with Microsoft Intune involves specific configurations and considerations, particularly regarding certificate management and authentication processes. Here are the key points regarding FAS and Intune:
Known Limitations
Issue with Intune Management: When the Citrix FAS server is powered on and a user signs into Citrix Virtual Desktop Infrastructure (VDI) in Azure through an ICA session, Microsoft Intune may display a warning indicating that the machine is not Microsoft Intune Managed. This warning disappears when the FAS server is powered off. This behavior is a known limitation between Citrix FAS and Azure Active Directory (Azure AD) .
Symptoms
Warning Message: Users may see a warning in Windows Settings under Accounts > Access work or school, indicating that the machine is not managed by Microsoft Intune when the FAS server is active.
Recommended Solution
Configure Azure AD Certificate-Based Authentication: To resolve the issue, it is recommended to configure Azure AD to use certificate-based authentication. This setup allows the primary refresh token (PRT) to be generated upon user logon, which is essential for proper integration with Intune and Azure AD resources.
Problem Cause
The issue arises because the affected VDI is Hybrid Azure AD joined. When users log on to the VDI through Citrix FAS, the Azure AD primary refresh token (PRT) is not generated due to the certificate-based nature of FAS authentication. This limitation affects single sign-on (SSO) capabilities to Azure AD resources and impacts Microsoft Intune.
Summary
To ensure proper functionality of Citrix FAS with Microsoft Intune, it is crucial to configure Azure AD for certificate-based authentication. This will help in generating the necessary tokens for seamless user experience and management.