I guess everybody working with Citrix ADC was facing the large DDOS Attack on EDT enabled vServer.
Citrix released updated a new firmware for all supported Versions for fixing the workaround using the “HelloVerifyRequest” setting as there was a bug resulting in a memory leak.
The versions are:
- 13.0-71.44 and later
- 12.1-60.19 and later
- 11.1-65.16 and later
We just updated today one of our affected customers which definitely required EDT on the fresh fixed build 12.1 Build 60.19 to enable UDP based HDX connections again.
Upgrade worked out without any issue, EDT was back available and customer was happy.
However pretty quick the customer IT department was getting users complaining that the Login to Citrix Collaboration Management (aka ShareFile) isn’t working anymore.
We took traces, checked logs and found the following on the ns.log:
„SSO FAIL forwading to client because of weak SSO user <username>“
This sounded familiar to customers surprised in version 13.0, where Citrix decided to deactivate SSO on global level for security reasons (which do sense). See here
But wait, this customer was running version 12.1?!
We checked the release notes, but there was no hint that the SSO behaviour was modified, however, we configured the traffic policies to allow SSO using basic auth on specific ressources and the ShareFile Login (together with other customer internal ressources) was back working.
On a deeper research on Citrix Docs it seems that it is documented but unfortunately not highlighted. See https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/enable-sso-for-auth-pol.html
In other words: Check your Citrix ADC Config if there are any SSO related configurations using Basic, Digest, and NTLM authentication before updating to the latest 12.1 Build, especially if you got AAA Servers or XenMobile/Endpoint Mangement or ShareFile in place.