Problem
You’re attempting to set up a Citrix Federated Authentication Service server to allow using Azure AD authentication with single sign-on but the configuration fails at the Authorize this service with the error:
The authorization request on <CertServerFQDN><CA Name> failed: Failed to Issue certificate: CR_DISP_DENIED (code 2).
Reviewing the Certification Authority management console’s Pending Requests does not show the expected pending request and reviewing the Failed Requests show the FAS server request being denied:
Request Status Code: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)
Request Disposition Message: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Citrix_RegistratrionAuthority_ManualAuthorization.
Attempting to manually enroll from the certificates console for the certificate also fails:
Solution
One of the reasons why the authorization of the FAS server would fail is if the permissions for the Citrix_RegistrationAuthority_ManualAuthorization template is not configured properly. Begin by launching the Certificates Templates Console on the CA that the FAS server is attempting to be authorized and open the properties of the Citrix_RegistrationAuthority_ManualAuthorization template:
Navigate to the Security tab and verify that the Authenticated Users group has Read permissions:
Domain Computers has Read and Enroll:
With the required permissions in place, attempt to authorize the server again and the status should now display:
There is a pending authorization request on CertServerFQDN><CA Name>.
Navigate into the Certification Authority management console’s Pending Requests and you should now see the following pending request:
The operation completed successfully. 0x0 (WIN32:0)
Proceed to authorize the pending request and the Authorize this service step should now complete:
One Response
Excellent post..keep up good work sir.