Citrix FAS Authorization Certificates Test

The Federated Authentication Service works by dynamically issuing user logon certificates from a Microsoft Certificate Authority. To do this it must first be granted an "Authorization Certificate" (often called an Registration Authority Certificate or Enrollment Agent certificate) to authenticate to the Certificate Authority.

CFAS cannot issue logon certificates if the CA administrator denies its request for an Authorization Certificate, or if its in the possession of expired / invalid certificates. Administrators should therefore track the status of every Authorization Certificate on CFAS and promptly isolate the ones that have expired, have been denied, or are invalid. The Citrix FAS Authorization Certificates test helps administrators with this!

The test auto-discovers all the Authorization Certificates on CFAS, and reports the current status of each certificate.

Target of the test : Citrix Federated Authentication Server

Agent deploying the test : An internal agent

Outputs of the test : One set of the results for each Authorization Certificate

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed. By default, this is set to 5 minutes.


The IP address of the host for which this test is to be configured.


The port at which the specified host listens.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Certificate status

Indicates the current status of this Authorization Certificate.


The values that this measure reports and their corresponding numeric values are listed in the table below:

Measure Values Numeric Values
Expired 0
Maintenance Required 1
Maintenance Due 2
Ok 3


By default, this measure reports the Measure Values discussed above to indicate the status of an Authorization Certificate. In the graph of this measure however, the same is indicated using the numeric equivalents only.

Using the detailed diagnosis of this measure, you can determine the details of the Authorization Certificate - this includes the certificate request, the CA to issue the certificate, and the storage container name (TrustArea).

Days to expire

Indicates the number of days within which this Authorization Certificate will expire.


Lower the value of this measure, sooner a certificate will expire.

If this value is very low, it implies that the authorization certificate will expire very soon. To continue using the authorization certificate, you will have to renew the certificate.