Jump to content
Welcome to our new Citrix community!

Anonymous ICA-session to StoreFront during STA-request


Support Agent 02

Recommended Posts

Hi

 

We got CVAD + NetScaler gateway configured.

 

Simple LDAP authentication is used

 

Our security team recently started monitoring ICA sessions on the gateway, and found some anonymous sessions, even though anonymous login is disabled.

 

We found out that when a user logs in, anonymous ICA-sessions established to StoreFront for about 30 seconds (could more some times, 1-2 minutes). Next we found out that this happens during the process of requesting an STA ticket.

 

These are the entries that appear in the gateway log:

 

Source <SourceIP>:<SourcePort> - Destination <StoreFrontIP>:443 - customername  - username:domainname anonymous: - applicationName &lt;DATA_STORE&gt

 

And this is what the request looks like on StoreFront:

 

<CtxSTAProtocol version="1.0">        

<RequestTicket>        

<AllowedTicketType>STA-v1</AllowedTicketType>        

<AllowedAuthorityIDType>STA-v1</AllowedAuthorityIDType>        

<Data><StoreFront FQDN>:443</Data>        

<XData><?xml version="1.0"?><!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"-->

<CtxConnInfo version="1.0">

<ServerAddress><StoreFront FQDN>:443</ServerAddress>

<UserName><&DUMMY&></UserName>

<UserDomain></UserDomain>

<ApplicationName><&DATA_STORE&></ApplicationName>

<Protocol>ICA</Protocol>

</CtxConnInfo>

</XData>        

</RequestTicket>        

</CtxSTAProtocol>

 

In this request, DUMMY as user name, and NetScaler therefore writes anonymous as user name in the session, since, in fact, there is no user name.

 

 

If it is possible to somehow get rid of these sessions, or by making some settings so that the user name is displayed correctly?

Or can u guide me please, where I can find a description of this process, so we could tell our security team that it is designed by vendor and there is nothing to be done about it?

 

We couldn't find anything

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...