For weeks I’ve been plagued with intermittent, vague complaints about “log ons not working right” when launching a virtual desktop or published app from Citrix DaaS. This is a fairly new environment but with enough people using it, including myself, that I would know if FAS wasn’t working at all. I’d hear a complaint every couple of weeks from one of the workstation support folks but when I’d ask they were too busy to reproduce it or would say they were OK, so….on to the next.
Finally, today I had a help desk person provide specific information and a screen shot (yeah!). In this case it was a published application they were launching which ended up here:
This is a good example of how most end users will just work around something and not formally report it. Easy enough – just log in again! But this is definitely a FAS issue.
Going to the FAS server I saw the following error:
Failed to issue a certificate for [upn: helpdeskuser@domain.com role: Default] at [certificate authority: CA1.domain.com\CA1] [exception: MicrosoftCertificateAuthority::SubmitCertificateRequest – the CA returned CR_DISP_DENIED
So clearly the Certificate Authority looked to be unhappy, and I was thinking that I had not set the appropriate permissions somewhere, but that didn’t really make sense since the FAS process was working for the majority of the users.
I logged into the certificate authority and checked the Administrative Events and there was the culprit:
This is why the problem was so sporadic – we have some people with secondary AD accounts or vendor accounts with no email address. Perusing through the log I saw many failures of this type over the past few weeks that no one was reporting.
So the fix was pretty simple. In the Certificate Authority Management Console go to Certificate Templates, right click and Manage, find the Citrix_SmartcardLogon template and modify the Properties on the Subject Name tab to remove the check box from the “Include e-mail name in subject name” and “E-mail name” fields. Once saved I retested with an account that had previously failed and all was right in the FAS world.
