Recently I was asked to implement Citrix FAS (Federated Authentication Service) into an existing Citrix Virtual Apps and Desktops(XenApp) environment. While testing the implementation I could not log in using FAS. The following error appeared at the logon screen: “The username or password is incorrect”.
What could be wrong?
Searching the Internet I found Citrix article CTX219849 and a forum post suggesting it had something to do with the PKI infrastructure. But this wasn’t the case.
After double checking the required GPO settings, FAS and PKI Infrastructure servers I decided to create a vanilla XenApp PVS image because I was testing it with the existing PVS image. In this clean image the FAS functionality is working, a smartcard certificate is created for the user and I am able to log on the system.
With that knowledge I looked into the existing PVS image. Some software or setting must be responsible for giving FAS (and me) a hard time.
Looking into the list of installed applications I saw that the Tools4Ever Self-Service Reset Password Management software was installed. SSRPM hooks into the Windows Logon screen by using a Credential Provider. It uses the Credential Provider to place the ‘Forgot my password…’ button on the logon screen.
After deinstalling the SSRPM software in a PVS test image, FAS worked! Now that I found the culprit, I had to find a way to disable the Credential Provider. Within a XenApp environment the ‘Forgot my password…’ functionality on the logon screen is not used.
Disabling SSRPM Credential Provider
The SSRPM software comes with an ADMX file to configure the software, and sure enough there is also a setting to disable the Credential Provider.
From the SSRPM GPO Distribution Guide(located here):
Enable SSRPM GINA or Credential Provider
Description: Use this value to enable or disable the SSRPM GINA or Credential provider. Set this value to
‘1’ (default) to enable the GINA or credential provider..
Registry value name: GINAEnabled
Registry value type: REG_DWORD
Registry value data: 0 = Disable
1 = Enable
Registry value syntax: 0 or 1
But sadly this wasn’t working in my case(I do not know if this is caused by the version being used by the customer).
So I decided to disable the Credential Provider by deleting the SSRPM registry keys in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers Registry section. For SSRPM there are two registry keys:
After deleting these two entries in the Citrix PVS image FAS is working like a charm!