Introduction: The Next Step in Citrix Authentication

For nearly a decade, digital workspace vendors have worked to close the gap between Microsoft’s legacy authentication stack and the enterprise shift toward modern identity standards such as SAML, OAuth, and OpenID Connect. Citrix and VMware Horizon introduced temporary solutions that used short-lived Kerberos certificates to enable single sign-on (SSO), and many customers adopted them despite the extra complexity. These approaches solved an immediate problem but came with their own challenges, while organizations facing strict modern authentication mandates often turned to alternative FAS-less options we have developed in earlier posts (as have several others in the Citrix/NetScaler community). Each path offered benefits but also its share of trade-offs, be it complex NetScaler configurations that left LDAP in play (which many organizations want to eliminate from the edge of their networks), to line of sight access from Entra Joined endpoints to Domain Controllers which was severely limiting its usefulness to trusted internal networks and managed endpoints only.

In close collaboration with Microsoft, Citrix is taking a major step toward simplifying authentication and identity management. A new feature set, arriving later this year, will enable native Entra ID SSO to Citrix session hosts without the need for Federated Authentication Service (FAS). This marks a significant milestone in the ongoing evolution of identity in hybrid and cloud-hosted virtual desktop environments and allows customers who have adopted modern authentication to simplify their technology estate.

Background: Why FAS Existed in the First Place

When organizations began adopting modern identity providers that used SAML and other federation standards, a new problem emerged for virtual desktop environments. Microsoft’s authentication protocols were designed around Kerberos, which depends on Active Directory and domain joined systems. This created a gap between modern, cloud-based authentication and the traditional Windows logon process used by session hosts.

Citrix introduced the Federated Authentication Service (FAS) to bridge that divide. FAS effectively translated a user’s SAML-based authentication into a short-lived Kerberos certificate, allowing seamless single sign-on from modern identity platforms into Windows sessions. It became a reliable solution that enabled hybrid identity architectures and allowed Citrix environments to evolve alongside changing enterprise authentication standards. For perspective, Horizon adopted a parallel strategy with TrueSSO, underscoring how both vendors ultimately converged on the same solution to bridge the modern authentication gap.

While FAS has served this purpose well for many years, it was always a workaround for a deeper architectural limitation. As Microsoft and Citrix modernize their platforms, the industry is shifting toward native, token-based authentication methods such as OAuth 2.0 and OpenID Connect. These newer standards eliminate the need for translation layers like FAS and pave the way for a simpler, cloud-native authentication model, provided the protocols and integration are there to support it.

Challenges with FAS

While FAS served its role in bridging the divide between modern IdPs and traditional Windows authentication, it introduced its own set of challenges.

Limited CA Support. For most of its history, FAS relied exclusively on Microsoft Certificate Authorities (CAs) as its supported certificate back end. Citrix designed FAS to align with Microsoft’s Enterprise PKI standards, which created challenges for organizations that either lacked a Microsoft CA infrastructure or had standardized on a different internal PKI vendor. Many were reluctant to deploy or maintain two CA platforms solely to support FAS. In recent years, this has improved, with around ten non-Microsoft CAs now validated for use with Citrix FAS, though setup and ongoing support remain the responsibility of the respective PKI vendor.
Infrastructure Complexity. FAS added a layer of infrastructure complexity. It required setting up and managing additional CAs, designing for high availability of both FAS servers and CAs in multi-site environments, and multi-forest environments added further complexity. Redundant which may not have been common in typical CA deployments became a strong recommendation for FAS, as CAs became critical to the authentication flow. In very large environments, it was not uncommon to use dedicated CAs for FAS to ensure logon performance during peak times did not degrade. If CAs became unavailable, users may experience errors logging into their sessions. FAS servers acted as registration authorities (RAs) for the CAs and their RA certificates had a multi-year lifespan. Failing to renew the CA certificates before their expiry was a common miss in many IT teams and would result in SSO failing. For many environments, this additional overhead became difficult to justify as authentication methods evolved but was ultimately a necessity.
Security Considerations. The certificates issued by CAs to FAS servers effectively acted as virtual smart cards. These certificates were equivalent to user credentials and were passed from FAS to the VDAs hosting user sessions for SSO. As a result, securing the FAS servers became critical. They needed to be well isolated on the network, with some customers going as far as to ensure the certificates were trusted only by the Citrix infrastructure and domain controllers to reduce the risk of misuse. Administrators often shortened the default seven-day certificate lifespan to limit exposure, while balancing this against the added load on the CAs from more frequent certificate issuance. In short, FAS introduced a security risk that could be managed, but not entirely eliminated.
Primary Refresh Token (PRT) Limits. A common complaint was FAS’ lack of native integration with Entra ID’s Primary Refresh Token (PRT). The PRT is a key component of Microsoft’s modern authentication framework that maintains a user’s signed-in state across applications and refreshes tokens in the background without requiring the user to reauthenticate. Because FAS operated outside of this mechanism, users often lost the seamless single sign-on experience to Microsoft 365 apps they were accustomed to in Entra Joined environments within Citrix sessions. In recent years there was the odd workaround to this such as using certificate-based authentication (CBA) in Entra, but this was not commonly embraced in the field.

The Future: Citrix + Entra ID, Natively

The modern authentication challenge with Windows is nothing new, and Microsoft has spent the last few years closing those gaps across its own product stack. More recently, Entra ID SSO for Azure Virtual Desktop entered preview, introducing token-based, seamless single sign-on to AVD sessions including Microsoft 365 apps running within the session and finally addressing the long-standing limitations around PRT handling while providing SSO to sessions thanks to a newly developed protocol handler in Windows.

Building on this same modern authentication foundation, Citrix has been working closely with Microsoft to bring similar capabilities to its own platform for a while. The two companies have been developing a native Entra ID authentication flow based on OpenID Connect (OIDC), the same standard that underpins Entra SSO for Azure Virtual Desktop. This new approach eliminates the need for SAML-based federation and removes the dependency on FAS for Entra Joined or Hybrid Joined environments.

The feature is expected to go into tech preview and subsequently enter general availability for Citrix Cloud customers (Citrix DaaS and Workspace + Gateway service) optimistically by the end of 2025, with support for on-premises Access Tier components (i.e. NetScaler + StoreFront) following tentatively in the first half of 2026 (for Citrix DaaS only). It will deliver true token-based, seamless SSO using the PRT, meaning users who authenticate to Entra ID will be able to launch Citrix sessions without additional credential prompts. While the VDAs need to be Entra Joined or Hybrid Joined, the endpoints do not, providing a high degree of endpoint use case coverage.

Requirements and Compatibility

Please note that the following content at the time of this publication is not official and is subject to change. Please refer to official Citrix documentation and announcements for the most accurate information.

This development is understandably significant, and as such, will have a number of requirements on the Windows and Citrix stack. Typically, new Citrix feature will roll out in a Current Release (CR) or upcoming Long-Term Service Release (LTSR) cycle. While the next 2511 CR should include the necessary code to support Entra ID SSO, Citrix is expected to be back-porting the feature into the 2507 LTSR which was released over the summer, with the preview-supporting version shipping in Cumulative Update 1 (CU1). There is no plan to back-port to 2402 LTSR.

The following are anticipated requirements for the tech preview.

Windows VDA Requirements:

Windows 11 24H2 with September patch
Windows Server 2025 with December patch (not known at the moment if Microsoft will back-port to Server 2022)
Entra Joined or Hybrid Joined

Citrix Infrastructure:

Citrix DaaS only (Citrix Virtual Apps and Desktops is a separate, future workstream)
Citrix Workspace + Gateway service (StoreFront is a separate, future workstream and may initially require NetScaler)
Virtual Delivery Agent 2507 LTSR CU1+ (target)
Virtual Delivery Agent 2511 + (target)

Endpoints:

Citrix Workspace app for Windows 2507+
Citrix Workspace app for Mac 2511+ (target)
Citrix Workspace app for Linux 2508+ (target)
Citrix Workspace app for ChromeOS 2508+ (target)
Citrix Web Extension (Required for hybrid launch scenarios)

Endpoint support for HTML5, iOS, and Android clients is expected in early 2026. Hybrid launches, where users authenticate to Citrix through a browser and start sessions using the native Citrix Workspace app, will require the Citrix Web Extension (available for all major browsers) to bridge the new protocol handler functionality. The Citrix Web Extension is becoming an increasingly important component, enabling many new Citrix features and security controls to function when browser-based authentication is used.

If managing browser extensions has become a constant pain point, this may be a good time to transition users to authenticate directly within the Citrix Workspace app. This approach simplifies deployment, provides access to the latest capabilities, and allows administrators to enforce security policies more easily without relying on an additional browser component.

Migration Path: Moving Away from FAS

In addition to the component and OS requirements being in place, there will also be several configuration changes within Citrix to support the tech preview and subsequent general availability.

Once again, this is preliminary information, and readers are recommended to refer to official Citrix documentation and announcements.

Reassign published resources (apps, desktops) to Entra identifies instead of AD identities
Entra ID or Hybrid Joined VDAs
Change Delivery Group logon types from AD to Hybrid or Entra joined

Who Might Still Stick with FAS?

FAS is not going away overnight, while not insurmountable, there are a number of requirements and initial limitations, and organizations move slow. The following scenarios will still require the use of Citrix FAS at the outset:

Citrix Virtual Apps and Desktops (Entra SSO support is a separate development stream)
StoreFront (anticipated early 2026)
Virtual Delivery Agents older than 2507 CU1
Virtual Delivery Agents that cannot be Hybrid Joined
Windows 11 older than 24H2
Windows Server older than 2025 (unless Microsoft back-ports the protocol handler)
Organizations not using Entra ID or relying on a non-federated IdP (one not chained to Entra ID)
Environments relying on smart card authentication or other novel authentication modes

FAS will continue to play a role for hybrid identity and advanced PKI-backed scenarios but for many, it’s the beginning of a simpler, certificate-free future.

The Road Ahead: Passwordless, Biometrics, and Beyond

That topic could easily warrant a separate blog on its own. The move toward passwordless authentication is gaining real momentum among customers, and it is already possible today, with a few caveats. Entra ID with Microsoft Authenticator passwordless sign-ins, FIDO2 security keys, Windows Hello for Business, and passkeys all work within certain constraints, particularly when it comes to session screen locks. Personally, I haven’t known my actual password for years, nor do I care to.

Within Citrix sessions, screen lock behavior continues to depend heavily on the type of deployment and operating system. For persistent VDIs running Windows 11 with virtual TPM, Windows Hello PIN sign-in already works well. However, biometric methods such as facial recognition and fingerprint authentication do not yet redirect into the virtual session, although they are firmly on Microsoft’s roadmap.

For Windows Server–based workloads or non-persistent workloads, screen lock handling remains more complicated just as it does with FAS today. In most cases, it is still best to disconnect the session at lock or instruct users to log off and reconnect, as the underlying issue is tied to Windows itself. While third-party vendors could theoretically work around these limitations, few are eager to start modifying the Windows GINA components to make it happen.

Passwordless capabilities are expected to mature alongside Entra ID SSO over the next year, with broader biometric support and more seamless session continuity expected through 2026.

Conclusion: What This Means for Citrix Admins

Citrix’s move to native Entra ID SSO is more than a feature update, it’s a foundational shift in how identity and access integrate across the virtual app and desktop ecosystem both for Microsoft and its partners. For many organizations, it marks the beginning of a true token-based modern auth into their digital workspace infrastructure, removing the overhead of Citrix FAS, and enabling the move toward passwordless authentication.

Keep an eye out for Citrix’s Tech Preview and General Availability updates regarding Entra ID SSO, and roadmap updates for on-prem CVAD and non-Entra IdP support. In the meantime, we strongly recommend organizations start upgrading to Citrix 2507 versions for upcoming Entra ID SSO support alongside a swath of other significant feature, performance, and security improvements.

Special thanks to Miguel Contreras (Citrix) for his insights and input on this article.

Michael Shuster

Michael is Ferroque's founder and a noted Citrix authority, overseeing operations and service delivery while keeping a hand in the technical cookie jar. He is a passionate advocate for end-user infrastructure technology, with a rich history designing and engineering solutions on Citrix, NetScaler, VMware, and Microsoft tech stacks.