The Citrix Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card.

I needed a way to document Citrix FAS for a project. I want to thank those in the Citrix Community who tested this script and provided feedback to improve the script and the report.

This documentation script, being a new script, was used as a proving ground for the changes coming in the rewrites to the Active Directory and Citrix Virtual Apps and Desktops V3 documentation scripts.

1. The default output format is now HTML.
2. You can now output in multiple formats.
3. You can also email multiple reports.
4. The script makes extensive use of objects and hash tables.
5. All data is gathered and processed first and then the data is passed to output functions.
6. Michael B. Smith reworked the Text and HTML output functions.
7. Michael B. Smith provided the code to validate Active Directory computer, group, and user accounts without needing the Microsoft ActiveDirectory PowerShell module.
8. Michael B. Smith updated the Microsoft code for the Convert-ToSSDL cmdlet to give you human-readable text on the very cryptic Microsoft ACL and SDDL format.

Instead of the cryptic:

Name : Citrix_SmartcardLogon
ACL : O:S-1-5-21-765892123-4046736924-4110796963-519G:S-1-5-21-765892123-4046736924-4110796963-519D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DC)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-765892123-4046736924-4110796963-1106)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;DC)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;S-1-5-21-765892123-4046736924-4110796963-1106)(A;;LCRPWPRCWDWO;;;S-1-5-21-765892123-4046736924-4110796963-1106)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;OICI;SD;;;DC)(A;OICIIO;FA;;;DA)(A;;LCRPRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;OICIIO;FA;;;CO)(A;OICIIO;FA;;;SY)

You get useful human-readable data thanks to the efforts of MBS.

On a side note, MBS was a huge help in getting the script completed that I list him as the script’s co-author.

What is Documented

• Root Certificate Authority
  • Certificate Authority server
  • Certificate Authority name
  • Issued to
  • Issued by
  • Valid from dates
• Certificate Authorities information
  • Certificate authority
    • Address
    • Is accessible
    • Is default
  • Published Templates
    • Template name
    • ACL Owner
    • ACL Group
    • ACL control flags
      • Human-readable descriptions of SDDLs
• FAS Server
  • FAS address
  • Index
  • Version
  • FAS installed version
  • Maintenance mode
  • Administration ACL
    • ACL owner
    • ACL group
    • ACL control flags
    • Discretionary ACL
• FAS Rules information
  • Rule name
  • Certificate Authority
  • Certificate template
  • Available after logon
  • Security Access Control Lists
    • List of StoreFront servers that can use this rule
    • List of VDAs the can be logged into by this rule
    • List of users that StoreFront can log in using this rule
• User Certificate information
  • User Principal Name
  • Role
  • Certificate definition
  • Expiry date

The script has full help text and a ReadMe. Please read the ReadMe as it contains information on the requirements for running the script and the limitations of the FAS PowerShell cmdlets.

If you see anything missing or incomplete, or you think something should be added to the report, send me an email. webster@carlwebster.com

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster and Michael B. Smith