"Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it."

By default, Citrix FAS requests certificates with: RSA 2048-bit key size

The CA rejects the request because:

Requested key size (2048) does not meet template minimum (4096)

As a result:

1. Certificate authorization fails

2. FAS cannot obtain a valid  logon certificate

3. VDA falls back to password authentication

Caution! Refer to the Disclaimer at the end of this article before using the Registry Editor.

Single Sign-On (SSO) fails in the Citrix environment after increasing the minimum key size on the Certificate Authority (CA) template. Users are prompted to manually enter their credentials when launching sessions.

During certificate authorization in Citrix Federated Authentication Service (FAS), the request fails because the key size requested by the FAS server does not meet the updated minimum key size requirement defined in the certificate template.

Additionally, when attempting to add or authorize a new CA in FAS, the Microsoft Certificate Authority explicitly denies the certificate request.

The following error is displayed in the FAS console:

“The authorization request failed. The CA returned CR_DISP_DENIED (code 2)”

Alternative Option (Recommended Best Practice)

If security policy does not mandate 4096-bit keys, revert the certificate template minimum key size to: 2048 bits