Skip to main content

Citrix Federated Authentication Service (FAS) is a core component for enabling single sign-on (SSO) in Citrix environments. When FAS servers are not configured consistently, authentication failures can occur, leading to user logon issues. This article outlines how Ferroque MSP resolved problems caused by introducing new FAS servers into a Citrix Cloud hybrid deployment while older FAS servers remained in place.

The objective of this project was to upgrade the Citrix production environment, including retiring legacy Citrix FAS servers that were running an old Windows Server 2019 OS (servers FAS01 and FAS02), and replacing them with new Citrix FAS servers FAS03 and FAS04.

Also deployed in this environment were two Citrix Cloud Connectors and two on-premises StoreFront servers (CVAD 2402), constituting a Citrix Cloud deployment integrated with an on-premises Citrix access tier.

The environment details were as follows:

  • FAS03 and FAS04 (new): running Citrix FAS v10.20 with Citrix Virtual Apps and Desktops (CVAD) 2503.
  • FAS01 and FAS02 (legacy): running Citrix FAS v2402.0 with CVAD 2402.
  • Two (2) Citrix Cloud Connectors
  • Two (2) on-premises StoreFront servers (CVAD 2402)

Symptoms

The issue occurred when new Citrix FAS servers, FAS03 and FAS04, were enabled in the same Citrix Cloud resource location as the legacy servers, FAS01 and FAS02.

Testing on a Citrix VDA showed that single sign-on (SSO) with the FAS service was not possible when the VDA was configured to use only servers FAS03 and FAS04. This test triggered Error S104 (Event ID 104) in the VDA event log; however, no related log entries were recorded on servers FAS03 or FAS04.

Configuring authentication via a Group Policy Object (GPO) using the Citrix FAS GPO templates was not effective in this scenario. However, the authentication setting could still be applied directly on the Citrix VDA server by manually modifying the following Registry key:

“Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses”:

After authenticating to Citrix StoreFront/Gateway, when a user opened a Citrix published application or desktop, they were again prompted to submit their Windows username and password. This behavior indicated that single sign-on (SSO) via Citrix FAS had failed.

This is because within the same resource location, Citrix FAS servers cannot work together if the servers are running different versions of FAS; i.e., the FAS servers must be the same version.

The Event [S104] Identity Assertion Logon failed error appears on a Citrix VDA whenever the machine presents a FAS ticket to the wrong Citrix FAS server. Nine times out of ten, this happens because the two components that talk to FAS (ticket issuer (e.g., StoreFront) and ticket redeemer (e.g., Citrix VDA)) disagree about which FQDN belongs to which FAS index. When their lookup tables are out of sync, StoreFront or Cloud Connector writes a valid ticket for Server #1, and the Citrix VDA hands it to Server #1  — except its own lookup table says Server #1 is a different server, which promptly responds with Access Denied.

When Citrix FAS versions are mismatched, the Citrix VDA logs Event S104 – Identity Assertion Logon failed. This typically happens when the two FAS components – the ticket issuer (StoreFront or Citrix Cloud Connector) and the ticket redeemer (Citrix VDA) – disagree on the mapping between a FAS server’s fully qualified domain name (FQDN) and its FAS index. If the lookup tables are out of sync, a few issues typically occur:

  • StoreFront or the Cloud Connector generates a valid ticket for Server #1.
  • The Citrix VDA then presents the ticket to what it believes is Server #1.
  • Since its table is mismatched, the server rejects the ticket, returns Access Denied, and no logs are captured on the FAS server.

This behavior suggests that the FQDN itself is being used as a unique index, leading to failures when definitions are inconsistent across components. This Citrix FAS KB article also indicates indexing and FQDN relationship as a likely culprit (although not so clearly):

Citrix

Resolution

Once the root cause was identified, the following steps were performed to resolve the issue:

1. Verify Citrix FAS Index consistency:

2. On‑Premises: keep StoreFront and Citrix VDA configuration in sync

  1. Create One Addresses GPO – Add the FQDNs in the intended order once, and link the same GPO to the OUs wherein StoreFront, Citrix FAS, and Citrix VDA servers reside (having separate policies for StoreFront and Citrix VDAs is the #1 cause of mismatched tables).
  2. Verify the Registry – PowerShell: reg query HKLM\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses. The output from every StoreFront and Citrix VDA server should be identical.
  3. Re‑Order Safely – Never delete or shuffle an existing Registry entry; instead, add the new FAS server as the next index. Change StoreFront first, wait for the GPO to refresh, then update Citrix VDAs (or the gold image) so the table is consistent throughout the environment before moving user traffic.

3. Citrix Cloud / DaaS: specify Primary vs. Secondary

In Citrix Cloud, the Cloud Connector is used in lieu of StoreFront as the ticket issuer. When multiple Citrix FAS servers reside in a resource location, each server may be marked Primary or Secondary – through personal testing, if both servers are set as Primary, it does not relate to these 104 errors, and Citrix FAS works as intended. Because the Cloud Connector records the index of whichever FQDN it picks, the Address table on Cloud Connectors and VDAs must be in the same order as the Primary/Secondary list in the Citrix Cloud admin console.

4. Hybrid mode: keep “Addresses” in sync and one FAS version

In this scenario, the environment is hybrid with two server pairs (HA) of different versions of Citrix FAS, and administrators need to ensure the “Addresses” settings are the same across all StoreFront, Connector, and Citrix VDA servers in the resource location. Ensure only one Citrix FAS version is working/online and put the other FAS server(s) running a different version into Maintenance mode.

Conclusion

Citrix FAS ‘S104’ error is not a mysterious crypto error, nor is it related to networking settings or firewall blocks. To resolve, ensure every component agrees that Index 0 = FAS‑01, Index 1 = FAS‑02, and so on. Launching Citrix resources via both on-premises StoreFront and Citrix Cloud Workspace will flow directly to the Citrix VDA without prompting the user to re-enter credentials.

  • Leo He

    Lijun (Leo) has been in Citrix and Microsoft’s Products professional services since 2005, also with expertise in Programming, DevOps and Networking, always focusing on and being committed to provide the overall IT solution architecture to Global Companies. He enjoys snowboarding, motorcycling and adventure around the world in his spare time.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Categories

Recent Articles

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.
Request a Demo

Continue Reading …

View All Articles