Starting with Citrix ADC feature release 13.0 build 64.35, some weak SSO types are dishonored globally. This affects Citrix XenDesktop Site and the Citrix Storefront authentication mechanism between Citrix Gateway and SF directly. These SSO types will be now disabled by default:

  • Basic authentication
  • Digest Access authentication
  • NTLM without Negotiate NTLM2 Key or Negotiate Sign

This means Single Sign-On (SSO) configuration in Citrix ADC and Citrix Gateway has to be enabled at global level and also per traffic level. Citrix recommends administrators to turn SSO globally OFF and enable per traffic basis. This enhancement is to make SSO configuration more secure by dishonoring certain type of SSO methods globally.

This change will become problematic as we have to install at least 13.0 build 64.35 if you are already on the version 13 track to close the CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247. After installing the latest build you will see a „Cannot complete your request message“ after logging to your Gateway or unified Gateway.

To solve this issue you have to implement a traffic policy that enables the HTTP SSO feature again:

NOTE: If you are upgrading from version < 13.0 you may have to convert your classic policies to advanced policies, before you can implement this traffic polices.

https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html

https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-64-35.html

https://support.citrix.com/article/CTX281474

2 Thoughts to “Citrix ADC 13.0-64-35 and Storefront “Cannot complete your request” (CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247)”

  1. Thanks, Marco! I ran into this and was looking for a solution! You saved my day.

    Alex

    1. Hi Alex, thanks! Nice to hear, have a nice Day! Marco

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.