Logon Type 8 (plain text) for BrokerService.exe on Delivery Controller

[Sabine Ludewig1709156713]

Hi guys,

I keep getting eventlog entries on the delivery controller saying that plaintext password was used.

This happens during log on through Netscaler and whenever I start a published application.

Setup is Win2019, Citrix 1912 CU2, Netscaler 13

What I've already done to secure communication channels:
 

- Bind certificate to IIS on Storefront servers for Default Website port 443,  but kept default port 80
- Set communication with DDC on each SF-Store to HTTPS
- Install certificate on DDC
- Register certificate with brokerservice.exe (netsh http add sslcert...)
- On Netscaler set STA to https for Citrix Gateway Virtual server

- LDAP policies (LDAP server) authentication is set to SSL, Port 636

 

What am I missing ? Do I need to enforce SSL at some point?

Thanks a lot

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DDC.MyDomain
Description:
An account was successfully logged on.

Subject:
    Security ID:        NETWORK SERVICE
    Account Name:        DDC$
    Account Domain:        MyDomain
    Logon ID:        0x3E4

Logon Information:
    Logon Type:        8
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        MyDomain\MyUser
    Account Name:        MyUser
    Account Domain:        IBLZ
    Logon ID:        0x838503BF
    Linked Logon ID:        0x0
    Network Account Name:    -
    Network Account Domain:    -
    Logon GUID:        {AnyGUID}

Process Information:
    Process ID:        0xd24
    Process Name:        D:\Program Files\Citrix\Broker\Service\BrokerService.exe

Network Information:
    Workstation Name:    DDC
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

 

[Sabine Ludewig1709156713]

I checked back with Citrix support and was told this:
 

It is expected behavior to see this event, however it does not mean that user’s credentials traverse in plain text in the network
As per https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
 
logon Type 8 means NetworkCleartext and implies the following:
 A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
  
The  log that you sent  only highlights that the password used was entered in a cleartext, format, NOT that it is actually being transmitted in cleartext between the servers. If HTTPS is configured on Storefront and the DDC, the traffic is encrypted and the actual credentials do not traverse the network in plaintext with HTTPS as HTTPS itself secures it.
Since you are using SSL communication between SF and DDC and ADC and SF, the communication is entirely secure

 

So the commuication leading o Logon Type 8 is only happening between local Citrix services in oder to enumerate your published applications and log you on 
You can see similar events on the Storefront server.