Citrix FAS Authorization Definitions Test

To generate a user certificate, Citrix FAS requires different types of information such as:

  • The CertificateTemplate to request;
  • One/more loadbalanced/ failover Certificate Authority Addresses
  • The ID of the AuthorizationCertificate to use to authorize the request
  • A list of additional Issuance Policy OIDs to add to the certificate request
  • A flag indicating if the certificate can be used as an in-session Virtual Smart Card, or only for the logon process

At any given point in time, an administrator can vett the configuration of a certificate by viewing the recipe for issuing that certificate - i.e., by viewing the Certificate Definition Objects. The Citrix FAS Authorization Definitions test reports the definition of each certificate, thus enabling administrators to review the configuration and to figure out if anything is out of place.

Primarily, this test reveals which certificate can be used as an in-session Virtual Smart Card, and which can be used only for logging into the Citrix environment. The detailed diagnostics of the test on the other hand, sheds light on the other key certificate configurations such as the certificate template that is requested and the certificate authority addresses.


Target of the test : Citrix Federated Authentication Server

Agent deploying the test : An internal agent

Outputs of the test : One set of the results for each user certificate

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed. By default, this is set to 5 minutes.


The IP address of the host for which this test is to be configured.


The port at which the specified host listens.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Is in session?

Indicates whether/not this certificate can be used as an in-session Virtual Smart Card.


Certificates that have been configured to be used as in-session certificates are placed in the user's personal certificate store after logon for application use. For example, if you require TLS authentication to web servers within the VDA session, the certificate can be used by Internet Explorer. By default, VDAs will not allow access to certificates after logon.

If the certificate can be used as an in-session Virtual Smart Card, then this measure will report the value Yes. If the certificate can be used only at logon, then this measure will report the value No.

The numeric values that correspond to these measure values are listed in the table below:

Measure Value Numeric Value
Yes 1
No 0


By default, this measure will report the Measure Values listed in the table above to indicate whether/not the certificate can be used as an in-session Virtual Smart Card. However, in the graph of this measure, the same will be indicated using the numeric equivalents only.

Use the detailed diagnosis of this measure to know the Microsoft certificate template that this certificate uses and the Certificate Authority Addresses.