Product documentation
Citrix Tech Zone

Deployment Guide: Citrix Federated Authentication Service and Sectigo MS Agent

August 1, 2023
Author: Steven Gallagher
Special thanks: Steve Beals

Overview

Sectigo Certificate Manager (SCM) is a universal platform purpose-built to issue and manage the lifecycles of digital certificates. SCM secures every user and machine identity across your enterprise, all from a single interface. With SCM, you can automate the issuance and management of Sectigo certificates alongside those from other publicly trusted Certificate Authorities (CAs) and private CAs, including Microsoft ADCS, Google Cloud Platform (GCP), and AWS Cloud Services.

For certificate discovery and enrollment, Sectigo MS agents are installed on Active Directory servers. SCM uses MS agents to do the following:

  • Discover Certificate - An agent installed on a domain-joined Windows server can discover assets such as web servers, domains, and certificates in Active Directory.
  • Proxy MS Enrollment Protocols to SCM - An agent installed on a domain-joined Windows server can act as a proxy to issue private and public certificates by using MS AD certificate templates mapped to SCM certificate profiles.

As a redundancy measure, SCM enables you to create clusters of MS agents installed on different servers to act as a single agent. If any agent fails, the other agents in the cluster seamlessly continue certificate discovery and enrollment.

Citrix (FAS)是一种联合身份验证服务privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range of authentication options, such as Security Assertion Markup Language (SAML) assertions. SAML is commonly used as an alternative to traditional Windows user accounts on the Internet.

Architecture Diagram

FAS Overview

Installation

Prerequisites

  • Microsoft Windows Server 2019 or Microsoft Windows Server 2022.
  • Active Directory Domain Controller (DC).
  • Active Sectigo Certificate Manager Account (SCM)
    • An organization created in SCM.
    • 私人CA后端启用。
    • MS Agent enabled.
  • Sectigo MS Agent installed on the Active Directory DC or a Domain Server.
  • It is recommended that when configuring Citrix FAS, the rule is calleddefaultand not something arbitrary, as this is what Citrix Cloud will use to contact the Citrix FAS server.
  • The Sectigo CA certificate must be trusted by the Domain Controller (the CA that will be generating the end-user certificates must be trusted by the domain in which those certificates use. As described inthis article).

MS Agent Installation

An administrator with the Master Registration Authority Officer (MRAO) role can manage MS agents using theIntegrations>MS Agentspage on SCM.

Refer to theSectigo Certificate Manager Administrator’s Guidefor the MS Agent installation requirements.

MS agent Install

Citrix FAS Installation

For security, Citrix recommends installing the Federated Authentication Service (FAS) on a dedicated server secured to a Domain Controller or Certificate Authority. Citrix FAS can be installed from either:

  • Citrix Virtual Apps and Desktops installer (from the Federated Authentication Service button on the autorun splash screen when the ISO is inserted), or
  • Stand-alone FAS installer file available as an MSI file onCitrix Downloads

Citrix FAS Configuration with MS Agent

Citrix FAS Administration Console:

  • You must be running as a Domain User who is a Local Administrator. You may have to selectRun as administrator, depending on your Windows settings.
  • Many steps here can be performed from the Citrix FAS administration console. This is a simple GUI that is sufficient for most customers’ needs. It is typically installed atC:\Program Files\Citrix\Federated Authentication Service\fasadminconsole.exe
  • The Citrix FAS Console polls the Citrix FAS servers every 2 seconds to obtain its latest configuration; it can be helpful to leave the Citrix FAS Administration console open even when using PowerShell cmdlets.

NOTE:The first two steps in the Citrix FAS Administration console which involve communication with AD, are only updated if you clickRefreshin the top right.

FAS Install

  1. Deploy Certificate Templates. Select Deploy to deploy the following three certificate templates to AD:
    • Citrix_RegistrationAuthority_ManualAuthorization
    • Citrix_RegistrationAuthority
    • Citrix_SmartcardLogon
  2. Set up a Certificate Authority. This template requires the CA administrator’s approval.
    • Navigate toServer Manager>Tools>Certificate Authority>Certificate Templates>Manage>Citrix_RegistrationAuthority_ManualAuthorization.
    • CheckCA Certificate Manager Approvaland ClickOK.

    FAS Install

    Once FAS obtains a certificate with this template, it immediately uses it as authorization to request a certificate with Citrix_RegistrationAuthority. The Citrix_RegisrationAuthority_ManualAuthorization certificate is then deleted. This two-stage authorization flow is intended to support the automatic renewal of the RA certificate, but this feature still must be implemented. Citrix_RegistrationAuthority is the RA certificate template that authorizes Citrix FAS to act as an RA.

    It has the following Extended Key Usage:

    FAS Install

  3. Configure Citrix_SmartcardLogon
    • Citrix FAS uses this template to generate user certificates “on-the-fly” so that Citrix FAS can perform single sign-on for the user.

    • Its issuance requirements specify an RA certificate as authorization.

      FAS Install

    • The templates can be customized, and it’s also possible to configure Citrix FAS with an RA certificate without using the following templates.

      FAS Install

Disabling AD Integration

By default, the Citrix_SmartcardLogon template instructs the CA to query AD to populate fields in the certificate. However, Citrix FAS supplies enough information in the certificate request that it’s possible to change this setting toSupply in the request. This way, the CA would not need to query AD.

FAS Install

FAS Install

NOTE:FAS does not read the templates.

  • When creating a certificate request, the template’s name is part of the request.
  • However, FAS does not read the templates. For example, the key length to use is part of FAS’s configuration. FAS does not read the minimum key size from the template.

Authorize this service

To configure FAS with an RA certificate:

  1. From theCitrix FAS Administration Console, clickAuthorize.

Note:To remove an authorization,click Deauthorize.

  1. The CA administrator approves the request by going toServer Manager>Tools>Certification Authority>Pending. FAS polls the CA awaiting a response, and the FAS admin console shows a spinner while the request is still pending.

  2. The CA Administrator right-clicks the pending request and selectsApproveto issue the RA certificate.

  3. The Citrix FAS Administration Console shows the service asAuthorized.

Create a Rule

Once you have configured FAS with an RA certificate, complete the rest of the FAS configuration.

  1. ClickCreate.

  2. Follow along with the install wizard; for most screens, clickNext.

    • When prompted, provide the following:
      • The template (Citrix_SmartcardLogon) that FAS uses to request user certificates.
      • The CAs FAS contacts to request a user certificate.

    FAS Install

    Now the Citrix FAS is fully integrated with the MS Agent for certificate issuance.

    FAS Install

MS AD certificate template mapping on SCM for Citrix templates

Before issuing a certificate, ensure the Citrix_SmartcardLogon, Domain Controller, and Domain Controller authentication templates are mapped to an SCM certificate profile on your SCM account.

Create MS AD certificate template mapping

FAS Install

To create the MS AD certificate template mapping between an SCM certificate profile and an MS AD template:

  1. On SCM, navigate toEnrollment>MS AD Certificate Template Mapping.

  2. ClickAdd (+).

  3. Complete the Add MS AD Certificate Template Mapping dialog referring to the following table.

    SCM

  4. ClickSave.

    SCM

User Certificate Creation

PowerShell Cmdlet is used to manage Citrix FAS and Certificate Creation.

  1. Set up PowerShell Cmdlet. Open a PowerShell Command, Windows as Administrator, and run the following command:

    Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 $CitrixFasAddress=[Get-FasServer](0).Address
  2. Set up FAS Authentication on Active Directory

  3. Command to enroll the certificate. The SCM Certificate template requires a User Principal Name (UPN) for the client certificate. Set the UPN for the user in ADExample:admin@wwco.net

  4. Run the following PowerShell command to enroll a user certificate:

    Test-FasCertificateSigningRequest -UserPrincipalName "" -Rule default

    You can view the certificate from SCM Dashboard:

    SCM

  5. To view the certificate’s details, navigate toCertificates>Client Certificates, and selectView>Chain of Trust.

    SCM

References

Deployment Guide: Citrix Federated Authentication Service and Sectigo MS Agent
August 1, 2023
Author: Steven Gallagher
Special thanks: Steve Beals
August 1, 2023
Author: Steven Gallagher
Special thanks: Steve Beals

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.