Citrix FAS: You cannot log on using a smart card

Today I did a Citrix Federated Authentication Services (FAS) implementation at a customer. One of the issues I had was the error: You cannot log on using a smart card.







Doing some research on the internet I found a blog from ( This blog describes the problem and also a fix. But the noticed that it wasn’t working with Firefox and Internet Explorer.

After some troubleshooting I found the solution you using the next rewrite:

add rewrite action RW_ACT_INS_HTTP_HEADER-ExpireSmartCardCookie insert_http_header Set-Cookie “\”CtxsSmartcardAuthenticated=xyz;Path=/Citrix/StoreWeb/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT; Secure\””
add rewrite policy RW_POL_INS_HTTP_HEADER-ExpireSmartCardCookie “HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ(\”/Citrix/StoreWeb/logout.aspx\”)” RW_ACT_INS_HTTP_HEADER-ExpireSmartCardCookie
bind vpn vserver VSSERVERNAME -policy RW_POL_INS_HTTP_HEADER-ExpireSmartCardCookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

So the blog from nerdscaler was good, but the problem was the “/” at the end from the Set-Cookie. The Created Cookie by StoreFront was bind too the /Citrix/StoreWeb/ path, instead of /Citrix/StoreWeb. So the Set-Cookie didn’t apply.

Leave a Reply

Your email address will not be published. Required fields are marked *