Citrix recommends one of the following as an alternate option: 

1. Move to Enhanced domain pass-through for single sign-on which is detailed here.   

2. Leverage Federated Authentication Service(FAS) to achieve passthrough authentication: FAS integrates with your active directory certificate authority, allowing users to be seamlessly authenticated without the Citrix Workspace app storing the password. SSON component need not be installed on the endpoint, and you will need to set the SSONCheckEnabled Registry key on the device to false as detailed here (Refer to the Notes Section)  

3. Temporarily disable SSON and domain passthrough: The user will be prompted to enter credentials while logging in to the Workspace App and on the launch of the Virtual desktop / Application. 

Citrix also requests customers to update to the latest versions of the Workspace App, which include enhancements that improve security posture. 

• CWA 2503.10: https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html  

• CWA 2402 LTSR Cumulative Update 3 Hotfix 1 : https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/workspace-app-for-windows-LTSR-Latest.html  

Watch this space for new feature announcements.  

Note: This advisory is ONLY applicable to customers who have installed the Citrix SSON component with Citrix Workspace App for Windows to enable pass through authentication on domain registered devices.  

Citrix is aware of a new Mimikatz module that claims to be able to retrieve Citrix SSON stored passwords in user-level process memory.