In today's world, your security team is probably constantly pushing for settings to secure the environment. This may come from any vendor as suggested environmental settings that will protect you against attacks. I love when things are secure. I have an alarm system and a bunch of cameras in my house just so I feel safe. However, not all security settings will make Citrix professionals happy. One setting in particular will break your single sign on and the configuration checker will not point you in the right direction.
So what happens? Your single sign on to workspace has been working like a champ for years. It has worked through all the different VDA and workspace versions and then all of sudden it breaks. Now, there are some Windows 11 gotchas out there and I won't go into detail on this post but if you suddenly can't get Windows 11 to SSO and you are not using Enhanced SSO then this could be an issue with MPR notifications. https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication.html
But back to the issue that you might run into and not really have any signs as to why it happened??
Restricting NTLM!!!!
Yep if the Name: restrictsendingntlmtraffic is set to any value other than 0 or 1 at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 then you will break legacy SSO for Citrix Workspace. The symptom will be that you are prompted to sign in to Citrix Workspace on Desktops and/or VDAs that have Citrix workspace installed.
Workaround: If you are not using a VDA 2311 or higher, then upgrade your environment and use Enhanced SSO which uses Kerberos. If you can't upgrade yet, then add one of these two methods
Registry
Method
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
ClientAllowedNTLMServers Multi-String Value: <storefront base url>
or
GPO Method
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -> <storefront base url>
Yep that's it!!! Once you do this, your SSO will begin working again.