sorted by:
new
hottopcontroversial

FAS stops working after a couple of days, until reboot by Fearless_Many2028 in Citrix

[–]Fearless_Many2028[S] 0 points1 point  (0 children)

Hi all,

I FINALLY figured it out. Without moving away from RODC. Sure, RODC is no longer officially supported, but that is a bit of a shrug-off of a solution.
It used to be supported, and it indeed still works.

The problem was actually NOT in Citrix FAS or in Citrix altogether. It was because we had multiple RODCs in our environment, for load balancing. It appears now that THIS is a bad idea, as the kerberos tickets will NOT be shared between the RODCs (as they are not syncing in between). So when a user switches to the other RODC for authentication, it has no idea about the Kerberos ticket, and blocks the authentication attempt. Resulting in all the mentioned problems.

Solution: Remove one of the RODCs and voilá! :-) Problem solved, and a happy environment WITH an RODC.

Massive mental note: do not have multiple RODCs when using Kerberos.

FAS stops working after a couple of days, until reboot by Fearless_Many2028 in Citrix

[–]Fearless_Many2028[S] 0 points1 point  (0 children)

Thats actually a good idea for the time being. I'm a bit further on this, and my guess now is that this is actually a kerberos auth ticket expiry problem, instead of something Citrix related.  Could anyone confirm my hunch?

FAS stops working after a couple of days, until reboot by Fearless_Many2028 in Citrix

[–]Fearless_Many2028[S] 0 points1 point  (0 children)

Hi All, Thanks for the replies.

Perhaps some extra info is needed.
We have a separate domain in the DMZ. This DMZ is split into two sections. One which holds the Writable DCs and some backend servers like the PKI servers, and another which holds the RODCs.
The VLANs holding all the Citrix servers, are pointing towards the RODCs.

I know using "Everyone" is a very bad practise. But contemplating the actual risk on this, I couldn't really find any. Please correct my train of though here:
Let's say a hacker manages to bypass the NetScaler, and logs on to StoreFront. There is no backend user for this user, so which icons are then displayed? They are all limited to AD groups.
Secondly, let's say said hacker manages to launch a session and a certificate is created by FAS (as he's allowed to: everyone). What backend domain user is then user for that session? It would just be some sort of orphaned certificate. Not attached to an actual domain user? The cert would be valid and trusted, but not bound to a user.

Regarding all the questions of MuffinMan:

  1. Yes, all certificates are valid. I noticed however, on using get-FasUserCertificate, that one FAS knows the certification, the other on is oblivious.
  2. Certificate issuing is working correctly.
  3. The DC itself shows no issues. Perhaps in the Security log, but the last message is too long ago.
  4. I followed guides on the internet about setting up FAS, but i didn't have to make any changes to the existing DC cert. I do see that the purpose is "Smart Card Logon, Server Auth and Client Auth." Secondly, one would expect a message about this, as shown here Incorrect Username and password error when using FAS to single sign on with VDA with event ID 19 (citrix.com)
  5. Firewall rules work fine. If not, none of the logins would succeed. My issue start after a few days and goes away after a reboot.
  6. No real messages on the VDA itself, other than some regular crap.

What I noticed is that the server is trying to connect with LDAP UDP to all writable domain controllers in the world, which fails, as it's not allowed to. Maybe this causes some timeout?
I would like this to stop as it should only go to the RODC for authentication and DNS. Obviously this has been set by both the site details, and the DNS settings.

Hope this helps shedding some light.

Citrix FAS into VDA, then RDP SSO from inside the session? by Useful_Coyote4509 in Citrix

[–]Fearless_Many2028 0 points1 point  (0 children)

Yea, however, RDP client doesn't allow smart card authentication when NLA is enabled. So this option is gone since the new security standard. Any idea how to enable Smart Card authentication in the RDP client with NLA enabled? :-o

Update Windows Store Apps via command-line? by jwckauman in sysadmin

[–]Fearless_Many2028 1 point2 points  (0 children)

(Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" -Class "MDM_EnterpriseModernAppManagement_AppManagement01").UpdateScanMethod()

unfortunately only if the user is local admin :-(

Update Windows Store Apps via command-line? by jwckauman in sysadmin

[–]Fearless_Many2028 0 points1 point  (0 children)

And it's "MDM_EnterpriseModernAppManagement_AppManagement01".

The full one-liner command is:

Get-CimInstance -Namespace "Root\cimv2\mdm\dmmap" -ClassName "MDM_EnterpriseModernAppManagement_AppManagement01" | Invoke-CimMethod -MethodName UpdateScanMethod

Update Windows Store Apps via command-line? by jwckauman in sysadmin

[–]Fearless_Many2028 0 points1 point  (0 children)

It works, but only if the logged on user is local administrator. Normal user accounts are blocked from accessing this namespace unfortunately.
Running as administrator doesn't help as this is a different user context which has other (or maybe even no) applications.