Citrix FAS Authorization Definitions Test
To generate a user certificate, Citrix FAS requires different types of information such as:
- The CertificateTemplate to request;
- One/more loadbalanced/ failover Certificate Authority Addresses
- The ID of the AuthorizationCertificate to use to authorize the request
- A list of additional Issuance Policy OIDs to add to the certificate request
A flag indicating if the certificate can be used as an in-session Virtual Smart Card, or only for the logon process
At any given point in time, an administrator can vett the configuration of a certificate by viewing the recipe for issuing that certificate - i.e., by viewing the Certificate Definition Objects. The Citrix FAS Authorization Definitions test reports the definition of each certificate, thus enabling administrators to review the configuration and to figure out if anything is out of place.
Primarily, this test reveals which certificate can be used as an in-session Virtual Smart Card, and which can be used only for logging into the Citrix environment. The detailed diagnostics of the test on the other hand, sheds light on the other key certificate configurations such as the certificate template that is requested and the certificate authority addresses.
Target of the test : Citrix Federated Authentication Server
Agent deploying the test : An internal agent
Outputs of the test : One set of the results for each user certificate
How often should the test be executed. By default, this is set to 5 minutes.
The IP address of the host for which this test is to be configured.
The port at which the specified host listens.
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.
The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
Is in session?
Indicates whether/not this certificate can be used as an in-session Virtual Smart Card.
Certificates that have been configured to be used as in-session certificates are placed in the user's personal certificate store after logon for application use. For example, if you require TLS authentication to web servers within the VDA session, the certificate can be used by Internet Explorer. By default, VDAs will not allow access to certificates after logon.
If the certificate can be used as an in-session Virtual Smart Card, then this measure will report the value Yes. If the certificate can be used only at logon, then this measure will report the value No.
The numeric values that correspond to these measure values are listed in the table below:
By default, this measure will report the Measure Values listed in the table above to indicate whether/not the certificate can be used as an in-session Virtual Smart Card. However, in the graph of this measure, the same will be indicated using the numeric equivalents only.
Use the detailed diagnosis of this measure to know the Microsoft certificate template that this certificate uses and the Certificate Authority Addresses.