I’ve had the opportunity to work in a locked down environment so am fairly familiar with DISA STIGs and the types of settings that are required to be applied to workstations and servers in that environment. I was recently working on a Citrix implementation and ran into a couple of issues caused by these settings.
The first I was able to find an answer for fairly quickly. I could not get any of the desktop VDAs to register with the Delivery Controller. I checked all the usual suspects – DNS, Timesync – no luck. What it ended up being was that there was a GPO applied to the VDAs “Access this computer from the network” and the NT Authority\Network account had been removed from that permission.
The second issue was pretty frustrating. In a Citrix Cloud configuration with an OnPrem Resource Location including the 2 Cloud Connect servers, desktop VDAs and a FAS server. FAS was set up per the documentation, which in a Cloud environment is pretty straight forward as Citrix handles the StoreFront and Delivery Controller settings. After logging into Citrix Workspace with Azure AD credentials the desktop would launch and stop and prompt for credentials instead of passing them through using the certificate the VDA was supposed to retrieve from the FAS server. I could see that the CA issued the certificate and that it made it to the FAS server but the VDA never communicated with the FAS server at all and there were no errors anywhere. I ended up contacting Citrix support, got a 1st level engineer who had me do multiple traces and screen shots over the course of 3 weeks. Luckily this implementation was still in testing and this wasn’t a big issue. Citrix support has not been the most responsive lately. Finally the ticket was escalated to a next level engineer. I told him again that this was a locked down environment and I suspected a GPO setting and within 5 minutes he gave me the answer – check for the GPO setting Admin templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Always prompt for password upon connection. Yup that was it!