Starting with Citrix ADC feature release 13.0 build 64.35, some weak SSO types are dishonored globally. This affects Citrix XenDesktop Site and the Citrix Storefront authentication mechanism between Citrix Gateway and SF directly. These SSO types will be now disabled by default:

  • Basic authentication
  • Digest Access authentication
  • NTLM without Negotiate NTLM2 Key or Negotiate Sign

This means Single Sign-On (SSO) configuration in Citrix ADC and Citrix Gateway has to be enabled at global level and also per traffic level. Citrix recommends administrators to turn SSO globally OFF and enable per traffic basis. This enhancement is to make SSO configuration more secure by dishonoring certain type of SSO methods globally.

This change will become problematic as we have to install at least 13.0 build 64.35 if you are already on the version 13 track to close the CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247. After installing the latest build you will see a „Cannot complete your request message“ after logging to your Gateway or unified Gateway.

To solve this issue you have to implement a traffic policy that enables the HTTP SSO feature again:

add vpn trafficaction traf_act_HTTPSSO HTTP -SSO ON
add vpn trafficpolicy traf_pol_HTTPSSO true traf_act_HTTPSSO

bind vpn vServer myCitrixGateway -policy traf_pol_HTTPSSO -priority 100 -gotoPriorityExpression END -type REQUEST

NOTE: If you are upgrading from version < 13.0 you may have to convert your classic policies to advanced policies, before you can implement this traffic polices.

https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html

https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-64-35.html

https://support.citrix.com/article/CTX281474

4 Thoughts to “Citrix ADC 13.0-64-35 and Storefront “Cannot complete your request” (CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247)”

  1. Thanks, Marco! I ran into this and was looking for a solution! You saved my day.

    Alex

    1. Hi Alex, thanks! Nice to hear, have a nice Day! Marco

  2. Baba

    HI Marco,

    i install this version (13.0 build 64.35) and after binding the traffic policy. I still have the issue of „your request cannot be completed“ Do you have a tipp what i else again i can check.

    Thank for your assistance.

    1. Hi,
      do you see any event log entries at your storefront servers?

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.