Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website,, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • New Script: Documenting Citrix Federated Authentication Services with Microsoft PowerShell V1.00

    The Citrix Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card.

    I needed a way to document Citrix FAS for a project. I want to thank those in the Citrix Community who tested this script and provided feedback to improve the script and the report.

    This documentation script, being a new script, was used as a proving ground for the changes coming in the rewrites to the Active Directory and Citrix Virtual Apps and Desktops V3 documentation scripts.

    1. The default output format is now HTML.
    2. You can now output in multiple formats.
    3. You can also email multiple reports.
    4. The script makes extensive use of objects and hash tables.
    5. All data is gathered and processed first and then the data is passed to output functions.
    6. Michael B. Smith reworked the Text and HTML output functions.
    7. Michael B. Smith provided the code to validate Active Directory computer, group, and user accounts without needing the Microsoft ActiveDirectory PowerShell module.
    8. Michael B. Smith updated the Microsoft code for the Convert-ToSSDL cmdlet to give you human-readable text on the very cryptic Microsoft ACL and SDDL format.

    Instead of the cryptic:

    Name : Citrix_SmartcardLogon
    ACL : O:S-1-5-21-765892123-4046736924-4110796963-519G:S-1-5-21-765892123-4046736924-4110796963-519D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DC)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-765892123-4046736924-4110796963-1106)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;DC)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;S-1-5-21-765892123-4046736924-4110796963-1106)(A;;LCRPWPRCWDWO;;;S-1-5-21-765892123-4046736924-4110796963-1106)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;OICI;SD;;;DC)(A;OICIIO;FA;;;DA)(A;;LCRPRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;OICIIO;FA;;;CO)(A;OICIIO;FA;;;SY)

    You get useful human-readable data thanks to the efforts of MBS.

    Figure 1
    Figure 1

    On a side note, MBS was a huge help in getting the script completed that I list him as the script’s co-author.

    What is Documented

    • Root Certificate Authority
      • Certificate Authority server
      • Certificate Authority name
      • Issued to
      • Issued by
      • Valid from dates
    • Certificate Authorities information
      • Certificate authority
        • Address
        • Is accessible
        • Is default
      • Published Templates
        • Template name
        • ACL Owner
        • ACL Group
        • ACL control flags
          • Human-readable descriptions of SDDLs
    • FAS Server
      • FAS address
      • Index
      • Version
      • FAS installed version
      • Maintenance mode
      • Administration ACL
        • ACL owner
        • ACL group
        • ACL control flags
        • Discretionary ACL
    • FAS Rules information
      • Rule name
      • Certificate Authority
      • Certificate template
      • Available after logon
      • Security Access Control Lists
        • List of StoreFront servers that can use this rule
        • List of VDAs the can be logged into by this rule
        • List of users that StoreFront can log in using this rule
    • User Certificate information
      • User Principal Name
      • Role
      • Certificate definition
      • Expiry date

    The script has full help text and a ReadMe. Please read the ReadMe as it contains information on the requirements for running the script and the limitations of the FAS PowerShell cmdlets.

    If you see anything missing or incomplete, or you think something should be added to the report, send me an email.

    You can always find the most current script by going to


    Webster and Michael B. Smith

    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply