Federated Authentication Service High Availability and Scalability
Article ID: CTX225721
Updated On:
Description
FAS High Availability
Q: How can I restrict the FAS servers available to a particular StoreFront?
To do this, you edit the GPO which applies to the StoreFront. You remove unwanted FAS FQDNs from the list, but be sure to replace them with a blank space character. This will ensure that the "index" for each FAS server in the list is consistent across your deployment.
If you later decide to replace the blank space with an FQDN, be careful to erase the space! Otherwise the FQDN will have an unwanted space at the beginning which will stop your deployment from working correctly.
Q: How does FAS load balancing work?
StoreFront reads the FAS GPO to get a list of all the FAS servers available to it.
For a given user UPN, FAS applies a hashing algorithm to decide the primary, secondary, tertiary (and so on) FAS server for the user. The primary FAS server is the preferred server for a user, followed by the secondary if the primary is not available, and so on.
Because a hashing algorithm is used, the FAS server for different users will be evenly distributed amongst all the available FAS servers, but for a particular user the selected FAS server will be consistent (unless failover is required). This maximises the chance that a user will be directed to a FAS server which already has a certificate for the user.
You can use the powershell command Get-FasServerForUser to determine the primary and secondary FAS servers for a user.
Q: How does FAS failover work?
StoreFront selects the primary FAS server for the user and attempts to contact that server. If the server cannot be contacted, or if the server reports it is in "maintenance mode", StoreFront will select the secondary server and so on.
StoreFront does not maintain a "blacklist" of recently failed FAS servers. When probing to determine if a FAS server is available, StoreFront applies a hard-coded timeout of 5 seconds.
Q: What are the current limitations to FAS failover?
StoreFront does not maintain a list of recently failed FAS servers, so it will not automatically skip over a FAS server that was found to be unavailable.
Additionally, when the user logs on to StoreFront, a working FAS server will be selected for the user, and bound to the user's StoreFront authentication token. If the FAS server subsequently becomes unavailable, application launches will fail until either the FAS server is restored to working order, or the user re-logs on to StoreFront.
FAS Scalability
- If you have < 10K users, a FAS server with 4 vCPUs (2.5Ghz) should be sufficient.
- You will require a minimum of 1 FAS server (with 8 vCPUs) per 25,000 users if all users expected to be able to logon under cold start conditions (no keys or certificates cached) within 60-90 minutes.
- A single FAS server can handle >50K users under warm start conditions (keys and certificates pre-cached)
- 1 reserve FAS server for every 4 FAS servers for “Day 1” cold start (Users get new keys/certificates) & disaster recovery scenarios
- We recommend you split the FAS CA from CA that performs other tasks for both security and scalability purposes.
Specifying multiple CA’s for FAS
Below document provides you the information on configuring multiple CA’s on FAS using PowerShell.
Citrix Documentation - Federated Authentication Service (citrix.com)
Was this article helpful?
Yes
No
Powered by
