Login failures when using Federation Authentication Service.
The user are prompted for credentials and the certificate based authentication is not working.

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

1. On the VDA where you are seeing authentication failure, follow the below steps to confirm issues with the Certificate Chaining.

Copy the certificate that is used for authentication to a file and save it in a convenient location by following below steps.

To export a certificate

• Open the Certificates snap-in for a user, computer, or service.
• In the console tree under the logical store that contains the certificate to export, click Certificates.
• In the details pane, click the certificate that you want to export.
• On the Action menu, point to All Tasks, and then click Export.
• In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
• Provide the following information in the Certificate Export Wizard:
• Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
• If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
• If required, in Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.
• In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click Next, and then click 
  Finish.

To check the certificate chaining and see if there is any issues with the CDP and the AIA path follow the below steps.

• Launch Command Prompt as Administrator (right click Runs As Administrator).
• Run the below command to get the output for the certificate chaining.

          Certutil -verify -urlfetch "name of the certificate.cer"

The output will look like something below.

----------------  Certificate AIA  ----------------

 Wrong Issuer "Certificate (0)" Time: 0

 [0.0] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (1)" Time: 0

[0.1] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Failed "AIA" Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/Root.lab.com_lab-ROOT-CA.crt

----------------  Certificate CDP  ----------------

Expired "Base CRL (01)" Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Failed "CDP" Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/lab-ROOT-CA.crl
 

• As you see in the above sample output, all of the CDP paths of the certificate have an issue and for AIA only the LDAP path is verified.
• Even if one of the paths ( File, LDAP or http) for CDP and AIA is verified you can ignore the rest of the failures.
• If you are seeing errors and failures with the all the paths, we need to fix the issue with the CDP and AIA paths of the CA.
• Once all the above issue with the certificate is fixed, make sure the from the VDA server you are able to access the LDAP and Http path for CDP and AIA.
• If the CDP and AIA paths are not accessible from the VDA server, the FAS authentication will fail.

Note:

Authority information access locations.

Authority information access locations are URLs that are added to a certificate in its authority information access extension. These URLs can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate.

CRL distribution points.

CRL distribution points are locations, typically URLs, that are added to a certificate in its CRL distribution point extension. CRL distribution points can be used by an application or service to retrieve a CRL. CRL distribution points are contacted when an application or service must determine whether a certificate has been revoked before its validity period has expired.

---

Problem Cause

The VDA was not able to access the Certificate Revocation List location.

Certificate Revocation List (CRL).

A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked. The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status.

To isolate the problem to the Certificate Revocation Check, create the following registry key on the VDA.

Note: This key should be deleted once the actual issue is resolved

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
Description: After you set this DWORD value to 1.

The Kerberos clients (Smartcard logon clients) will ignore "revocation unknown" errors that are caused by an expired CRL if the above registry key is configured.

 

Unable to login using the FAS Authentication - Getting Stuck on Please wait for local session manager.

https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#crl-checking-registry-keys