How to troubleshot Citrix FAS related issues on Linux VDAs
Article ID: CTX235532
Updated On:
Description
The Citrix Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. Please refer to FAS documentation on how to configure FAS on Linux VDAs.
This article explains how to troubleshoot FAS related issues on Linux VDA.
Instructions
Note, before going through following steps, it is recommended to make sure you can access the non-FAS store created for the same site, and could launch published desktop/application from the non-FAS store successfully. If you are facing any issue on non-FAS store, a normal troubleshooting for a non-FAS store must be performed in the first place.
Issues when accessing FAS store.
Scenario 1.User fail to access FAS store with error
- “can’t connect to server named xxxxx” on Firefox.
- "‘xxxx’ server IP address could not be found" on Chrome
- "make sure the web address xxxx is correct" on Internet Explorer
Possible cause:
This could be caused by name resolve failing from the endpoint to the server you are connecting to.
Solution:
If you are using Active Directory Federation Services (ADFS) server in your FAS environment, please make sure “nslookup ADFS-Server-FQDN” returns successfully.
If you are not using Active Directory Federation Services (ADFS) server in your FAS environment, please make sure “nslookup DDC-Server-FQDN” and “nslookup Storefront-Server-FQDN” return successfully.
Scenario 2. Accessing FAS store via IE or Chrome returns error 403
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Possible cause 1:
User is trying to access an incorrect FAS store URL.
Solution 1:
Please double check the store URL on the endpoint browser with your storefront server. The store URL is case insensitive; ensure you have added “web” at the end of the URL. For example: https://yourstorefrontserver/citrix/FASStoreweb.
Possible cause 2:
Root certificate is not (correctly) imported into the endpoint and browser.
Solution 2:
Please make sure the Root CA certificate is imported into the endpoint OS and browser. If you are using ADFS server, please have ADFS certificate imported successfully as well.
Scenario 3. Can’t open FAS store via Firefox, showing “Your Connection is not secure”.
Possible Cause:
CA Root Certificate is not correctly imported.
Solution:
Make sure you have the Root CA Certificate imported as “trusted root certification authorities”, so that the server can be totally trusted.
Scenario 4. User logging into store with error “there was a failure with the mapped account”
Possible cause 1:
Linux VDA supporting FAS is designed to work with any storefront authentication methods. For example, FAS store can be configured to use user/password or SAML, but cannot use both user/password and SAML authentication methods at the same time. Hence, if both user/password and SAML authentication methods are configured on the FAS store, when user accesses to the store, it will automatically redirect to IDP, and user/ password authentication method will be ignored.
Solution 1:
If some users need to be authenticated by SAML, while some by user/password, please create a separated FAS store for each authentication method, and select only one authentication method for the store on Storefront server.
Possible cause 2:
If you are authenticating by SAML, shadow user is not configured for that user on AD.
Solution 2:
Please create shadow user for the problematic user on AD.
Issues when launching published Desktop/application from FAS store.
Scenario 1. Cannot launch published Linux VDA Desktop with error “Invalid Login”
Problem cause 1:
FAS is not configured on the Linux VDA server yet.
Solution 1:
Please configure FAS by /opt/Citrix/VDA/sbin/ctxsetup.sh and /opt/Citrix/VDA/sbin/ctxfascfg.sh
as described in document
Problem cause 2:
The Root CA certificate is not installed on Linux VDA server.
Solution 2:
Please install Root CA Certificate by sudo openssl x509 -inform der -in yourrootname.cer -out yourroot.pem
Problem cause 3:
The Root CA certificate is not valid.
Solution 3:
Please get and install a valid root CA certificate.
Scenario 2. Launching published Desktop fails with error Cannot Start Desktop “your desktop name”
Possible cause 1:
Solution 1:
2) Go to Linux VDA server, update the FAS server by following command:
sudo /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\Software\Citrix\VirtualDesktopAgent\Authentication\UserCredentialService" -v "Addresses" -d "your FAS server FQDN"
Note, if have there is a blank row of FAS DNS on your group policy, please run the command like follows:
sudo /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\Software\Citrix\VirtualDesktopAgent\Authentication\UserCredentialService" -v "Addresses" -d "server1;<none>;server2"
3) Restart ctxvda service by service ctxvda restart.
4) Log out the users from the store and login again.
Possible cause 2:
Solution 2:
Scenario 7. All users who are logging to the FAS store receives “Your logon has expired. Please log on again to continue.” within timeout value.
Possible cause:
Authentication method of the FAS store is being modified on StoreFront server.
Solution:
Users need to re-login to the store in this situation.
Or if modifying authentication method for the store is needed, please do it when there is no users using the store.
Additional Information
