Citrix FAS configured for authentication.
Published Desktop or Published Application fails to launch with error: "Identity Assertion Logon failed. Unrecognized Federated Authentication Service"

• Policies were modified to ensure that both the FAS servers, Storefront servers and VDA get the same policies.
• Gpupdate /force was performed on the VDA
• Verified that the registry “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses” had the matching list of addresses in the same sequence.
• Application launch was successful.

IMPORTANT:

• Ensure that the StoreFront servers requesting tickets and the Virtual Delivery Agents (VDAs) redeeming tickets have identical configuration of FQDNs, including the automatic server numbering applied by the Group Policy object.
• If you enter multiple FQDNs, the order of the list must be consistent as seen by VDAs, StoreFront servers (if present), and FAS servers.
• FAS will function as long as the StoreFront servers, VDAs, and the machine running the FAS administration console see the same list of FQDNs
• The contents of “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses” needs to be exactly the same on the VDA, SF servers and the FAS Servers.

Problem Cause

• VDA and FAS server were not getting the same policies which resulted in different FAS Server values in the registry “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses”
• FAS server was also getting the additional Default Domain Policy which contained additional FAS servers.

Looking at the CDF Trace of the VDA it reports the below error

30532,2,2021/11/04 14:04:50:90927,11292,4192,BrokerAgent.exe,0,Citrix.Authentication.IdentityAssertion,,0,,2,Information,"[S101] Identity Assertion Logon failed.  Unrecognised Federated Authentication Service [id: 3]",""
30533,2,2021/11/04 14:04:50:90927,11292,4192,BrokerAgent.exe,0,Citrix.Authentication.IdentityAssertion,,0,,5,Information,"Logging Security Event: [LogLevel: 1] [S101] Identity Assertion Logon failed.  Unrecognised Federated Authentication Service [id: 3]",""

Comparing the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses on the FAS server as well as the VDA, indicated a mismatch in the list of FAS server addresses listed.
FAS server had 4 FAS server addresses mentioned however the VDA just had 2 FAS server addresses.

When you launch an app or desktop, the below process is followed.

• Workspace picks a FAS server and creates a ticket on it.
• The ticket is sent to the VDA, along with the index of the chosen FAS server in the GPO.
• That way, the VDA knows which FAS server to contact to redeem the ticket as it cannot just contact any FAS server. This information is fetched from the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses

FAS Server Addresses are stored in this registry key as shown below and are indexed.

“Address1″=”FAS server FQDN ( eg: myfasserver01.domain.local)” (REG_SZ)
“Address2″=”FAS server FQDN ( eg: myfasserver02.domain.local)” (REG_SZ)
“Address3″=”FAS server FQDN ( eg: myfasserver03.domain.local)” (REG_SZ)
“Address4″=”FAS server FQDN ( eg: myfasserver04.domain.local)” (REG_SZ)

The Indexing starts from 0

So [id: 1] = the address list index.
Since it starts from 0 hence [id: 1] would mean the 2nd FAS Server Address.

0=“Address1″=”FAS server FQDN ( eg: myfasserver01.domain.local)” (REG_SZ)
1=“Address2″=”FAS server FQDN ( eg: myfasserver02.domain.local)” (REG_SZ)
2=“Address3″=”FAS server FQDN ( eg: myfasserver03.domain.local)” (REG_SZ)
3=“Address4″=”FAS server FQDN ( eg: myfasserver04.domain.local)” (REG_SZ)


'Regarding the Index value [id: 3] reported in CDF"
So [id: 3] = the address list index. It starts from 0 hence [id: 3] would mean 4th Address.

VDA was looking for the 4th FAS server Address which did not exist in the registry on the VDA, and an unrecognised error was thrown.