Table of Contents
Overview
Another (and for the moment the last) Quickpost about getting a Primary Refresh Token (PRT) inside your HDX Session when using Citrix FAS combined with Entra ID Certificate-Based Authentication (CBA) which is my favorite solution when it comes to gaining SSO to M365 Apps inside User’s HDX Session.
I’ve choosen to write that quick summary because I’m getting different questions about my other FAS posts with pros and cons and I’m not sure if everyone is aware of the following simple solution.
To sum up (choose your needs):
- Using Entra ID CBA on the Clientside for getting a PRT – you need to enroll certificates on your (corporate) Devices
2. Using Entra ID CBA inside the HDX Session for gaining SSO to M365 Apps without a PRT – needs FAS allow in-session certuse
3. Using NetScaler without FAS for gaining SSO to M365 Apps with a PRT
4. This Post which should technically replace variant 2
Configuration
The config is pretty simple and there’s a great diagram showing the technical workflow. Thanks to Kerberos TGT, there’s no need for FAS allow in-session certuse:
All four steps are happening during the Logon process of the User’s HDX Session to the VDA, which means in particular, the User doesn’t need access to the virtual Smartcard certificate from FAS. Not using in-session certuse is a great security achievement.
Requirements
- VDA is Entra ID hybrid joined
- Windows Server 2019 or later
- Windows 10 or later
- VDA has access to *.certauth.microsoftonline.com without any TLS Inspection
- Full CA-Chain is uploaded to Entra ID with (recommended, but not not absolutely necessary) publicly accessible Certificate Revocation List (CRL) URL
Entra ID CBA
Go to the Entra ID Portal and create your PKI – this is currently in Preview but will soon replace the classic Certificate authorities option:
You can choose between entering a public URL (Upload CBA PKI) hosting your CA Certs or just uploading your CA Certfiles by manual (Add certificate authority):
That’s it for the CA-Upload. Next is configuring and enabling the Certificate-based authentication Authentication method:
It makes sense to just enable it for a Usergroup which is using Citrix VAD / DaaS on a daily basis. You cannot filter on a device / machine group – which would makes sense to just enable CBA for all Citrix VDA’s. Technically you can select a device group, but it will never hit. Maybe this will come in near future.
The config part should look like this. Enable CRL validation only, when your CRL is public available. We will use Single-factor authentication as a Protection Level because we want silently logon to Entra ID without any User-interaction to get the PRT.
The minimum Ruleset should include the UPN-check, so the UPN of the user gets validated against the FAS Smartcard cert, where the UPN should be inserted:
That’s it. Just wait a few minutes to sync your settings into Entra ID, start your HDX session and validate the PRT.
When CBA is enabled for your User, but there’s no PRT inside your session – dsregcmd /status will give you some details why CBA failed (for example a not matching Certrule or a missing Intermediate-CA of your PKI)
Final thoughts
At the moment, that variant is my preferred way for having stress-free SSO for all HDX Users. Adding some final notes.
As we are using the Auth-Method “Single-factor authentication” and CBA is recognized as a so called system preferred multifactor authentication method – the “MFA Reset button” is still available to use for your Servicedesk:
When you check the MFA-Methods of a Entra ID CBA enabled User, you can see the CBA as a system MFA method, so it’s not correlating to the User’s created MFA methods. This means also, there are no issues regarding first MFA-enrollment of a User or device-setup via Autopilot.
Regarding Security:
If the FAS smartcard cert of a user gets inside wrong hands – he’s able to logon to M365 / Entra ID as your identity. As the cert is not on the VDA level, make sure to use a separate Issuing-CA only for FAS and lockdown that CA and all FAS server’s. Think about using HSM, too.
Regarding Userexperience:
When enabling CBA for a user, there’s the smartcard logon-option showing up on all devices when the User’s logging on to M365 / Entra ID:
Which will fail, because there’s no matching cert on the clientside deployed:
That could accidentally work when using the same Issuing CA for FAS and for Clientcerts (Eg Intune) with the User’s UPN, too. Make sure this can’t work.
Summary
Hopefully that Post answered some questions or misunderstandings for solving the missing PRT problems in a HDX world.
Hello! I have tried this config, I still experience Certificate Validation failed when configured to single-factor instead of multi-factor if I press the MFA Reset button