SAML Archive – Deyda.net

Checklist for NetScaler (Citrix ADC) CVE-2023-4966

Citrix issued an alert (10/10/2023) about a critical vulnerability (CVE-2023-4966) in all NetScaler (Citrix ADC) & Gateway systems. Several working exploits have been published.

Please note that simply updating the systems is not enough. The connection tokens must also be reset.

Important ! There are no patches for NetScaler (Citrix ADC) version 12.1 or older. These systems have reached their EOL and will therefore no longer be equipped with the necessary fix. In this case please update to the latest 13.0, 13.1 or 14.1 version.

The vulnerability allows anonymous remote code execution and thus unauthenticated attackers to take over various machines with root privileges.

SAML Authentication between Citrix & Microsoft with Azure MFA

Update to the latest cloud navigation.

As a result of increasing projects, here is a little how-to with the summary of my previous articles. The main points are:

Azure AD Seamless Single Sign-On (PTA / PHS)
SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)
Citrix Federated Authentication Service (FAS)
Microsoft Azure Multi-Factor-Authentication with Conditional Access

Requirements

Fully working Citrix Virtual Apps and Desktop Environment (StoreFront & DDC Minimum Version 7.9)
NetScaler with successful base configuration & activated Enterprise or Platinum license (Minimum Version 12.1 Build 50+ for native workspace app, for browser Minimum Version 11.1)
Configured Unified Gateway vServer
Internal and external DNS entries for Unified Gateway vServer (e.g. citrix.deyda.net)
Certificates for DNS entries (wildcard certificates are the easiest)
Existing Azure Tenant with Azure-AD base configuration (Domain, AAD Sync) & activated Azure AD Premium license
AD Connect version installed and configured (Minimum Version 1.1.644.0)
Firewall release for *.msappproxy.net on port 443
Domain administrator credentials for the domains that connected to Azure AD via AD Connect
Installed Authenticator App on Test User Mobile Phone

Checklist for NetScaler (Citrix ADC) CVE-2023-3519

Citrix issued an alert yesterday (07/18/2023) about a critical vulnerability (CVE-2023-3519) in all NetScaler (Citrix ADC) & Gateway systems. To date, no working exploits have been published.

Important ! There are no patches for NetScaler (Citrix ADC) version 12.1 or older. These systems have reached their EOL and will therefore no longer be equipped with the necessary fix. In this case please update to the latest 13.0 or 13.1 version.

The vulnerability allows anonymous remote code execution and thus unauthenticated attackers to take over various machines with root privileges.

As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time.

Activation of Azure AD Seamless Single Sign-On

For quite some time (Beginning of 2017) it is now possible to solve SSO scenarios with Azure even without ADFS infrastructure. However, it is only recently that companies has started to not insist on ADFS. Now one may finally also point out the alternative solutions of Microsoft.

The possible scenarios for Seamless SSO are:

Pass-through authentication (PTA)
Password Hash Sync (PHS)

Pass-through authentication (PTA)

Disadvantages

No automatic detection of leaked login data
Azure AD DS requires enabled Password Hash Synchronization feature in tenant to work
Is not part of Azure AD Connect Health

Password Hash Sync (PHS)

“Disadvantage“

Password is synchronized to the cloud (as hash value)

SAML Authentication with Azure AD as IdP and Citrix as SP

Since Citrix XenApp / XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Via Citrix FAS it is possible to authenticate a user via SAML and thus connect Citrix as a service provider to existing identity providers, such as Azure-AD.

Sequence of SAML authentication

The user browse the FQDN (e.g. citrix.deyda.net) of the Citrix Gateway vServer (Service Provider) to start his VA / VD resources
The Citrix Gateway vServer directs the unauthenticated user directly to the Identity Provider (Azure-AD) to authenticate itself (saml: authnRequest)
The Identity Provider points to its SingleSignOnService URL (e.g. login.microsoftonline.com) and the user must authenticate
The user enters his AD credentials and these are checked by the Identity Provider against the user database
Upon successful verification in the user database, the IdP is informed
The IdP issues a token (SAML assertion) and sends it to the Citrix Gateway (saml: response)
Citrix Gateway checks the token (assertion signature) and extracts the UPN from the assertion token. This allows access via SSO to the VA / VD farm via FAS (The SP does not have access to the user’s credentials)