Note: This advisory is ONLY applicable to customers who have installed the Citrix SSON component with Citrix Workspace App for Windows to enable pass through authentication on domain registered devices.  

Citrix is aware of a new Mimikatz module that claims to be able to retrieve Citrix SSON stored passwords in user-level process memory.  

Citrix recommends one of the following as an alternate option: 

1. Leverage Federated Authentication Service(FAS) to achieve passthrough authentication: FAS integrates with your active directory certificate authority, allowing users to be seamlessly authenticated without the Citrix Workspace app storing the password. SSON component need not be installed on the endpoint, and you will need to set the SSONCheckEnabled Registry key on the device to false as detailed here (Refer to the Notes Section)  

2. Temporarily disable SSON and domain passthrough: The user will be prompted to enter credentials while logging in to the Workspace App and on the launch of the Virtual desktop / Application. 

Citrix also requests customers to update to the latest versions of the Workspace App, which include enhancements that improve security posture. 

• CWA 2210.5: https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html  

• CWA 2203 LTSR CU2: https://www.citrix.com/downloads/workspace-app/workspace-app-for-windows-long-term-service-release/workspace-app-for-windows-LTSR-Latest.html  

• CWA 1912 LTSR CU7 Hotfix: https://support.citrix.com/article/CTX473064/hotfix-citrix-workspace-app-for-windows-1912-ltsr-cu7-hotfix-2-19127002-english  

Citrix will continue to work on providing a better SSO experience using password less capabilities within Workspace App going forward. Watch this space for new feature announcements.