Federated Authentication Service 2411

Renew FAS authorization certificates without disruption to users

Previously, renewing FAS authorization certificates caused disruption to users. With this change, the process has been simplified and improved to no longer cause disruption to users. For more information, see Renew FAS authorization certificate.

Improved process for managing key storage with FAS

Previously, configuring where FAS private keys are stored was handled through the Citrix.Authentication.FederatedAuthenticationService.exe.config XML file. This has been a pain point to manage and the configuration is not preserved over FAS upgrades. With this change, PowerShell cmdlets are used for private key configuration. Configuration for user and RA certificate private keys is stored separately, further simplified, and preserved over upgrades. For more information, see Private key protection

Support for Elliptic Curve keys

Until now, FAS has only supported RSA keys for use in its certificates. With this change, FAS introduces support for ECC certificates. For more information, see Example 4 - Use Elliptic Curve keys.

Federated Authentication Service KSP remoting (General Availability)

With this change, the remoting of cryptographic operations from a Windows VDA to the FAS server is achieved using a pair of Key Storage Providers (KSPs) running on the VDA. This replaces the Cryptographic Service Providers (CSPs) used in previous versions of FAS. KSP is the latest way of exposing cryptographic operations to Windows applications, which supports more capabilities. For more information, see KSP remoting.

For information about bug fixes, see Fixed issues.

Federated Authentication Service 2411