AzureAD PRT with FAS certificates

Most customers are integrating Edge, Office 365, and OneDrive into their non-persistent virtual environments. However to utilize this requires some additional configuration, and if you throw FAS into the mix you need to do some more additional configuration to get the AzureAD PRT working. This guide should provide you the framework to get this setup in your environment.

Azure AD Connect and Zero machine settings

  1. Azure AD Connect needs to be setup in your environment with Password Hash Synchronization, and Hybrid Azure AD join needs to be configured.
  2. Your non-persistent maintenance machine needs to have a dsregcmd /leave command executed during sealing to ensure proper image connection. (See my wiki article on maintenance scripts)
  3. Your non-persistent maintenance machine needs the \Microsoft\Windows\Workplace Join\Automatic-Device-Join scheduled task modified. Add an At Startup Trigger. This will register the machine at it’s startup to Azure AD, and the user account will register with the existing At log on trigger.

Certificate Authority Configuration

  1. Modify your Citrix_SmartcardLogon to handle Smart Card Logon and Client Authentication

2. Create a webserver that can host your domain CRL. This will needs to be accessible from the Internet on http only.

If using IIS, edit your Request Filtering and enable the Allow double escaping feature, otherwise your Delta CRL won’t work.

3. Edit the NTFS permissions on the CRL webservers root to give your Internal Cert Authority Full Control of this folder.

4. Create a windows share to this root directory that gives the Internal Cert Authority servers Read/Write permissions to the folder.

5. Go to properties of your Internal Cert Authority, click Extensions and then click Add.

6. Use file://webserver/share/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl for the Location.

7. Select Publish CRLs to this location, and Publish Delta CRLs to this location

8. And another extension and use http://outsideurl/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl for the Location.

9. Select Include in CRLs, Include in the CDP Extension of issued certificates, and Include in the IDP extension of issued CRLs.

10. Right click Revoked Certificates and Publish a new CRL to populate your new distribution.

Azure Active Directory certificate configuration

  1. Login to and drill down to Azure Active Directory.
  2. Click Security
  3. Click Certificate Authorities
  4. Click Upload
Upload your Domain Root certificate, use http://outsideurl/domain.crl for the CRL URL, use http://outsideurl/domain+.crl for the Delta CRL.

5. Select Authentication Methods on the left hand pane.

6. Select Certificate-based authentication

7. Enable this feature, and restrict it to necessary users if you wish to lock this down further.

Client testing

To verify these settings, login to a non-persistent session with a FAS backed user session.

Open a command prompt and run a dsregcmd /status. You are looking for the following entries to verify it is fully connected.

You now should be setup correctly for FSLogix 2210 token functionality, Edge Sync and autologin, Office 365 SSO, and OneDrive autologin with both local authentication and with Federated authentication.

Join the Conversation

1 Comment

  1. Hi Jeff,

    I followed your recommendation settings above, with the exception of the delta CRL. Is this necessary to get PRT token working inside VDI session? I am able to test the Azure CBA by using the O365 login page and selecting the certificate based (user certificate). But when launching VDI, I run the command “dsregcmd /status” and I get error code “AADSTS50017: Validation of given certificate for certificate based authentication failed”. FAS server is configured correctly.

    Any help will be appreciate it. Thank you.


Leave a comment

Your email address will not be published. Required fields are marked *