Product documentation
Federated Authentication Service
Current Release 2507 LTSR 2503 2411 2407 2402 LTSR 2311 2308 2305 2303 2212 2209 2206 2203 LTSR 1912
View PDF

FAS V2 ticketing and the registry address list

November 20, 2025
Contributed by: 
C

Prior to FAS 2511, FAS created V1 (version 1) format tickets, which start with an index byte. The VDA needs to determine which FAS server issued the ticket. It does this by using the index byte to look up the FAS address from the list of FAS addresses in its registry.

GPO generally configures the list of FAS addresses on the VDA. On Windows VDAs, the registry location of the address list is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\Addresses.

The address list on the VDA must exactly match the address list on StoreFront, otherwise single-sign on fails. This requirement was a significant source of configuration errors for customers, especially ones with complex deployments.

FAS 2511 introduces V2 (version 2) format tickets. The address (that is, FQDN and port) of the FAS server is written into the ticket itself, thus the VDA does not need to consult the registry address list.

Compatibility

From 2511 onwards, FAS generates V2 tickets by default. V2 tickets are compatible with all Windows and Linux VDA versions.

VDAs prior to version 2511 continue to consult the registry address list, using the index byte as described in the previous section.

Only 2511 and later Windows and Linux VDAs are able to parse V2 tickets, and therefore do not need the registry address list.

V2 tickets are compatible with any version of StoreFront, and a StoreFront upgrade is not necessary.

If you experience issues with V2 tickets, you can configure FAS to generate V1 tickets using this PowerShell command:

Set-FasServer -Address localhost -TicketVersion 1
<!--NeedCopy-->

To revert to V2 tickets generation, use this PowerShell command:

Set-FasServer -Address localhost -TicketVersion 2
<!--NeedCopy-->

FAS ticket version the VDA understands

Only VDA 2511 and above can parse V2 tickets. Previous versions treat the V2 ticket as if it were a V1 ticket.

To confirm whether a VDA understands the V2 ticket version, inspect the event log on the FAS server.

If FAS and your VDA is 2511 or later, you must see an event log entry similar to the following during VDA launch. The event is in the Windows Logs > Application log on your FAS server:

Level: Information

Source: Citrix.Authentication.FederatedAuthenticationService

EventId: 204

Text: [S204] Relying party [VDA machine name] accessing the Logon Provider for [User UPN] in role: [FAS Role] [Operation: XXXX] as authorized by [StoreFront machine name]. Caller ticket version: 2. [correlation: XXXX]
<!--NeedCopy-->

In this event, the caller ticket version is 2. This indicates that the VDA doesn’t need to be configured with a registry FAS address list.

Conversely, if your VDA does not support V2 tickets, the event log entry have caller ticket version 1:

Level: Information
Source: Citrix.Authentication.FederatedAuthenticationService
EventId: 204
Text: [S204] Relying party [VDA machine name] accessing the Logon Provider for [User UPN] in role: [FAS Role] [Operation: XXXX] as authorized by [StoreFront machine name]. Caller ticket version: 1. [correlation: XXXX]
<!--NeedCopy-->

Configure FAS V2 tickets with StoreFront

Any version of StoreFront can be used, since the FAS ticket is opaque to StoreFront, and no special configuration is required.

Configuration of FAS server addresses on StoreFront continues to use the registry address list, supplied using a GPO.

Configure FAS V2 tickets with Citrix Cloud Workspace

When FAS is connected to Citrix Cloud, FAS requires that its address is present in its own registry address list. This behavior is to support V1 tickets. If not found, the FAS admin console displays a warning, and FAS doesn’t provide a single sign-on for Citrix Cloud Workspace launches.

However, if your entire deployment is using V2 tickets (that is, your FAS server and VDAs are 2511 or later), then there is no need for the registry address list on the FAS server.

You can use the following PowerShell to prevent a cloud-connected FAS from requiring the registry address list:

Set-FasCloudConfig -Address localhost -SkipGpoCheck $true
<!--NeedCopy-->

Other PowerShell changes

In addition to the commands noted above, the following changes have been made in FAS 2511’s PowerShell.

Display the FAS server’s FQDN and port

The following PowerShell command now returns the FQDN and listening port of the FAS server. This is the FAS address information encoded into V2 tickets.

Get-FasServer -Address localhost
<!--NeedCopy-->

Address parameter of cmdlets

Prior to 2511, any Address parameter of a FAS PowerShell command (other than “localhost”) was checked against the FAS server’s registry address list. To change this behavior, it was necessary to use the following command:

Set-FasAdministrationPolicy -CheckAddressAgainstGpo $false
<!--NeedCopy-->

From 2511 onwards, FAS PowerShell commands don’t check the Address parameter against the address list. To revert to the previous behavior, run the following PowerShell command:

Set-FasAdministrationPolicy -CheckAddressAgainstGpo $true
<!--NeedCopy-->
FAS V2 ticketing and the registry address list
November 20, 2025
Contributed by: 
C
November 20, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.