Starting with Citrix ADC feature release 13.0 build 64.35, some weak SSO types are dishonored globally. This affects Citrix XenDesktop Site and the Citrix Storefront authentication mechanism between Citrix Gateway and SF directly. These SSO types will be now disabled by default:
- Basic authentication
- Digest Access authentication
- NTLM without Negotiate NTLM2 Key or Negotiate Sign
This means Single Sign-On (SSO) configuration in Citrix ADC and Citrix Gateway has to be enabled at global level and also per traffic level. Citrix recommends administrators to turn SSO globally OFF and enable per traffic basis. This enhancement is to make SSO configuration more secure by dishonoring certain type of SSO methods globally.
This change will become problematic as we have to install at least 13.0 build 64.35 if you are already on the version 13 track to close the CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247. After installing the latest build you will see a „Cannot complete your request message“ after logging to your Gateway or unified Gateway.
To solve this issue you have to implement a traffic policy that enables the HTTP SSO feature again:
add vpn trafficaction traf_act_HTTPSSO HTTP -SSO ON
add vpn trafficpolicy traf_pol_HTTPSSO true traf_act_HTTPSSO
bind vpn vServer myCitrixGateway -policy traf_pol_HTTPSSO -priority 100 -gotoPriorityExpression END -type REQUEST
NOTE: If you are upgrading from version < 13.0 you may have to convert your classic policies to advanced policies, before you can implement this traffic polices.
Marco Klose works as a Technical Consultant and Architect focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC).