Citrix DaaS – Inactivity Timeout and Authentication Period

Reading Time: 3 minutes

Overview

Recently I’ve discussed some DaaS / Cloud Workspace security settings with a customer where Inactivity Timeout and Authentication Period settings for Citrix Workspace App (not Web!) are very essential. CISO’s are friends of low authentication period settings / low inactivity timeouts – giving the user more authentication popups a day for higher security and lower user acceptance, isn’t it? 🙂

Configuration

There are the following settings – you can find them in Workspace Configuration -> Customize -> Preferences – so how do they work and which setting wins?

First are Inactivity Timeouts – split in Workspace App for Windows, macOS and Linux and a separate setting for Mobile (iOS, Android). The maximum amount of time you can configure is 24 hours. The settings are disabled by default.

Next are the Authentication Period settings, combined with Inactivity Period settings, both addressed to all CWA editions. The minimum amount of time you can configure is 1 day. These settings are enabled by default with a standard of 30 (!!!) days of Reauthentication Period which is, from a security perspective, way to high.

Because of the different minimum and maximum settings to configure – you can choose what’s hitting your requirements the most.

In other words:

You need a LOWER Workspace App Inactivity Timeout / Reauthentication Period than 1 Day (24h)? Enable and configure Inactivity Timeout – this will overwrite all settings for Authentication Period.

You need a HIGHER Workspace App Inactivity Timeout / Reauthentication Period than 1 Day (24h)? Disable Inactivity Timeout and Configure Authentication Period settings.

There is also an infobox to remind you which settings are now active:

Reset active User-Sessions

After changing the settings to your matching requirements regarding Timeouts, it’s recommended to reset all active CWA User-Sessions. Means, they have to reauthenticate in CWA and so the new settings can apply.

Otherwise, for example the config was set to 30 Days Reauthentication Period (=default) and now you’ve set 5 Days – you have to wait a maximum of 29 Days for all your CWA’s on your Clients doing the reauthentication and grab the new settings.

There is a PowerShell module provided by Citrix to reset active sessions, which you can download here. The use is quite simple, first create a Secure Client here:

and you can use the script:

####Import Module:
cd C:\Tools\Session_Invalidation_PowerShell_Module\SessionInvalidationPowerShellModule\Citrix.Workspace.SessionInvalidation
Import-Module ./Citrix.Workspace.SessionInvalidation.psm1


Invoke-WorkspaceSessionInvalidation -WorkspaceUrl "https://customer.cloud.com" -ClientId "123" -ClientSecret "123"

One thing to note here is Custom Workspace URL. If you’re using Custom Workspace URL and you disabled the default .cloud.com URL – the script will not work. The script will also fail against your Custom Workspace URL. You have to run it against the default .cloud.com Workspace-URL.

For that, you have to re-enable the default .cloud.com URL temporary, run the script and disable the URL, again. I know your Users authenticated against your custom URL, but in the backend it’s always the default-store where the authentication takes place. So the script will be effective to all your custom URL’s, too.

User Experience

As soon as you’ve configured the timeout settings, CWA (Windows) sends notifications for upcoming timeouts.

Exactly 3 minutes before the timeout kicks in, your Users getting the following notification:

Summary

Four easy settings to configure in your DaaS tenant which could cause a crucial difference regarding Session Security.

Leave a Reply

Your email address will not be published. Required fields are marked *