Citrix Cloud: Changes to Cipher suites for Federated Authentication Service

Citrix Cloud is updating the method used for traffic ingress to improve resiliency, which requires inserting a new service in the path used to communicate with Citrix’s services. Rollout of this new ingress method for the Federated Authentication Service is in progress and is targeted for completion by the end of July 2022.

While most users will not be affected, users who have configured their operating system’s usable ciphers may need to review and possibly update this configuration to ensure that the ciphers available include those supported by the new traffic ingress method.

In particular, a previous iteration of the Citrix Cloud Secure Deployment guide included a recommendation for Windows Server 2012 to use a cipher that is not supported by the new ingress method. The secure deployment guide has already been updated with the cipher suites supported by the new ingress method.

Supported Cipher suites

For TLS 1.2, the following cipher suites are supported by the new ingress method:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

If accessing the Citrix Cloud control plane from Windows Server 2016, Windows Server 2019, or Windows Server 2022, the following strong ciphers are recommended:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

If accessing the Citrix Cloud control plane from Windows Server 2012 R2, the strong ciphers are not available, so the following ciphers must be added to retain connectivity as services are transitioned to the new ingress method:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

The following ciphers must still be enabled in Windows Server 2012 R2 to access services that are not using the new ingress method:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Recommended action

If the above cipher suites are not available for use by the Federated Authentication Service by July 31, 2022, you may experience a service outage for your users. As such, Citrix strongly recommends reviewing both methods of restricting Cipher suites – an allow list via GPO and a deny list via registry entries. Check both methods to ensure that you do not have restrictions that would prevent the specific cipher suites above from being usable.

Related:

  • No Related Posts

Leave a Reply