Troubleshooting Citrix FAS Event ID 124 and 123

After a recent deployment of a new ADCS (Active Directory Certificate Services) and FAS (Federated Authentication Service) servers, it became evident that users were not receiving certificates. Interestingly, the existing production FAS servers, which were running older versions, continued to successfully request certificates.

Upon reviewing the FAS documentation, it was revealed that certificates could be requested through the use of PowerShell. (https://docs.citrix.com/en-us/federated-authentication-service/current-release/config-manage/ca-configuration#fas-server) Using the below code, I could simulate the request.

PowerShell
Add-PSSnapin Citrix.A*
$rule = "default" # rule/role in your FAS admin console
$users = sjoerd@lab.newyard.online # test users
foreach ( $user in $users )
{
    $server = Get-FasServerForUser -UserPrincipalNames $user
    if( $server.Server -ne $NULL) {
        New-FasUserCertificate -Address $server.Server -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
    if( $server.Failover -ne $NULL) {
        New-FasUserCertificate -Address $server.Failover -UserPrincipalName $user -CertificateDefinition $rule"_Definition" -Rule $rule
    }
}

I observed Event IDs 124 and 123 in the FAS server event log.

Event ID 124:
[S124] Failed to issue a certificate for [upn: [email protected] role: default] at [certifcate authority: <server>.lab.newyard.online\lab-<server>-CA] [exception: MicrosoftCertificateAuthority::SubmitCertificateRequest – the CA returned CR_DISP_DENIED (code 2)]. [correlation: f901946c-1d9b-4351-9575-2f75eb24094c]

[S124] Failed to issue a certificate for UPN. Citrix FAS Failed request for a Certificate.

Event ID 123:
[S123] Failed to issue a certificate for [upn: [email protected] role: default] [exception: The CSR failed at all configured certificate authorities] [correlation: f901946c-1d9b-4351-9575-2f75eb24094c]

[S123] Failed to issue a certificate for UPN. Citrix FAS Failed request for a Certificate.

I found no documented explanations for these error codes after consulting Citrix’s troubleshooting guide. Subsequently, I researched further and found an article indicating that these errors were related to permission issues. However, the Citrix documentation did not provide explicit guidance on the required permissions.

To address the issue, I proceeded to remove the Citrix templates from the Certificate Authority (CA) and redeployed these templates. Regrettably, this action did not resolve the problem. Lacking access to another client environment for reference on certificate permissions, I established a CA with FAS functionality within my laboratory environment.

Upon conducting a comprehensive analysis of permissions associated with all Citrix-related templates, I determined that the templates required the following permissions to operate effectively:

  1. Authenticated Users: Read
  2. Domain Admins: Read, Write, Enroll
  3. Domain Computers: Read, Enroll

This is for the following Templates:

  1. Citrix_RegistrationAuthority
  2. Citrix_RegistrationAuthority_ManualAuthorization
  3. Citrix_SmartcardLogon

After changing the permissions on the customer environment to the permissions of the Lab, all started to work.

Facebook
WhatsApp
Twitter
LinkedIn
Pinterest
Follow me