Cannot Start App - Federation Authentication Service
Article ID: CTX224802
Updated On:
Description
The application launch fails with an error "Cannot Start App" once FAS is enabled on the StoreFront.
On the StoreFront you will see Event ID 28 and on FAS server you will see Event ID 123.
Resolution
To resolve the issue follow the below steps.
1) Open the Citrix Federated Authentication Service console.
2) Click on De-Authorize this service.
3) Once it is De-Authorized, on the Step 3 in the consoles click on Start to Authorize the service.
4) The administration console uses the Citrix_RegistrationAuthority_ManualAuthorization template to generate a certificate request, and then sends it to one of the certificate authorities that publish that template.
5) After the request is sent, it appears in the “Pending Requests” list of the Microsoft Certification Authority console. The certificate authority administrator must choose to “Issue” or “Deny” the request before configuration of the Federated Authentication Service can continue.
Note: The authorization request appears as a “Pending Request” from the FAS machine account.
6) Right-click All Tasks and then select Issue or Deny for the certificate request. The Federated Authentication Service administration console automatically detects when this process completes. This can take a couple of minutes.
Note: Whenever a change is made on the Certificate Authority Server to which FAS is pointed, it is always recommended to De-Authorize and Authorize the FAS again to get it working correctly.
7) Once you De-Authorize and Authorize the FAS again, it will remove the rules.
We need to configure the rules again.
Note: De-Authorization of the FAS will result in the removal of the rules.
1) On the CA Failed Request logs you will see an error in the Failed request for the user "error verifying request signature or signing certificate"
2) The issue was caused because of Changing the Signing algorithm on the CA server.
3) The issue also will happen if you do not re-authorize FAS service after installing new certificate on the Certificate Authority Server.
1) Open the Citrix Federated Authentication Service console.
2) Click on De-Authorize this service.
3) Once it is De-Authorized, on the Step 3 in the consoles click on Start to Authorize the service.
4) The administration console uses the Citrix_RegistrationAuthority_ManualAuthorization template to generate a certificate request, and then sends it to one of the certificate authorities that publish that template.
5) After the request is sent, it appears in the “Pending Requests” list of the Microsoft Certification Authority console. The certificate authority administrator must choose to “Issue” or “Deny” the request before configuration of the Federated Authentication Service can continue.
Note: The authorization request appears as a “Pending Request” from the FAS machine account.
6) Right-click All Tasks and then select Issue or Deny for the certificate request. The Federated Authentication Service administration console automatically detects when this process completes. This can take a couple of minutes.
Note: Whenever a change is made on the Certificate Authority Server to which FAS is pointed, it is always recommended to De-Authorize and Authorize the FAS again to get it working correctly.
7) Once you De-Authorize and Authorize the FAS again, it will remove the rules.
We need to configure the rules again.
Note: De-Authorization of the FAS will result in the removal of the rules.
Problem Cause
1) On the CA Failed Request logs you will see an error in the Failed request for the user "error verifying request signature or signing certificate"
2) The issue was caused because of Changing the Signing algorithm on the CA server.
3) The issue also will happen if you do not re-authorize FAS service after installing new certificate on the Certificate Authority Server.
Issue/Introduction
The application launch fails with an error "Cannot Start App" once FAS is enabled on the StoreFront
Was this article helpful?
Yes
No
Powered by
