As Abraham Maslow said, “To the man who only has a hammer, everything he encounters begins to look like a nail.” It’s best to add new tools to your tool kit when they’re essential. Otherwise, you might just be adding distraction and complexity.

Citrix’s Federated Authentication Service (FAS) should be essential. It integrates with your Active Directory certificate authority, enabling your users to be seamlessly authenticated within a Citrix environment.

But maintaining a critical tool like FAS without proper diagnostic resources is risky. You need to ensure that the FAS server and the components it depends on, including the Active Directory certificate authority, are healthy. If they aren’t, the user will encounter launch and VDA single sign-on errors.

A general approach to diagnosing any component is to design a “polling” script that invokes a various set of PowerShell cmdlets to check the server, which then moves the unhealthy server into maintenance mode based upon the result.

The cmdlets that were available in the earlier FAS releases were heavy and took a longer time to run, so you couldn’t run them frequently. To fix that, we’ve added a new set of lightweight PowerShell cmdlets, from the Citrix Virtual Apps and Desktops 1906 release onward. These cmdlets are considered lightweight because they can reuse an existing key pair rather than generating a new key-pair, which is CPU intensive. Now, monitoring and testing your FAS server’s health is easier than ever.

I encourage you to redesign your “polling” script or to create a new “polling” script using these new lightweight cmdlets so you can diagnose your FAS server:

FAS also provides various PowerShell cmdlets that enable you to perform advanced configuration functions and test and monitor your FAS server.

Please note, you should always consider configuring a special FAS rule for testing. This helps with creating certificates with a shorter lifespan that don’t consume server resources.

For example, if your company is planning to enforce the “SHA256” algorithm as a new hashing algorithm to sign a piece of data, you can check it with a new cmdlet:

C:\PS> $CitrixFasAddress=(Get-FasServer)[0].Address

C:\PS> Test-FasUserCertificateCrypto -UserPrincipalName “xyz@citrixtest.net” -Rule Default –HashingAlgorithm SHA256

You can learn more about these new cmdlets for the Citrix Federated Authentication Service on our Citrix Docs page.