StoreFront 3.8 / 3.7 / 3.6 / 3.5 – Basic Configuration

Last Modified: Jan 13, 2017 @ 3:00 pm


đź’ˇ = Recently Updated

StoreFront Installation / Upgrade

The XenApp/XenDesktop 7.12 ISO comes with StoreFront 3.8. Or you can download it from

You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront 3.8 on dedicated servers.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB RAM.

Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is installed first.

  1. If upgrading do the following before beginning the upgrade:
    1. Export the StoreFront configuration so you can restore it if something goes wrong.
    2. Stop the World Wide Web Publishing Service.
    3. Stop all StoreFront services.
    4. Close all PowerShell and StoreFront consoles.
    5. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service.
    6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix StoreFront 3.5
  2. Go to the downloaded Citrix StoreFront 3.8 and run CitrixStoreFront-x64.exe.
  3. Or you can install from the 7.12 ISO by running AutoSelect.exe.

  4. In the License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Review prerequisites page, click Next.
  6. In the Ready to install page, click Install.
  7. In the Successfully installed StoreFront page, click Finish.

If this is a new install, skip to the Initial Configuration.

After upgrading from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:

  1. In the StoreFront Console, on the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Receiver Experience page select Disable classic experience.
  4. Once classic experience is disabled, you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done.

  5. Go to Stores. Right-click the Store, and click Configure Unified Experience.
  6. Check the box next to Set the unified Receiver experience as the default for this store, and click OK.
  7. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Initial Configuration

In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to create the stores.  💡

You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.

If this is a new deployment of StoreFront, do the following to perform the initial configuration:

  1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.
  2. The management console should launch automatically. If not, launch Citrix StoreFront from the Start Menu.
  3. In the middle, click Create a new deployment.
  4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the Hostname should already be filled in. For now, you can leave it set to the server name and then change it later once you setup SSL and load balancing. Click Next.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two XenDesktop Controllers. Change the Transport Type to HTTP. Click OK.
  12. If you have multiple XenDesktop sites/farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Click Next when done.
  13. In the Remote Access page, don’t check the box, and click Next. You can set this up later.
  14. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next. Note: if you want Domain pass-through for browser users, you also need to enable it for Receiver for Web as detailed later in this topic.
  15. In the XenApp Services URL page, click Create.
  16. In the Summary page, click Finish.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail.

  1. Install StoreFront on the second server.
  2. Create/Import the SSL certificate, and bind it to the Default Web Site.
  3. Login to the first StoreFront server. In the StoreFront management console, right-click Server Group, and click Add Server.
  4. Copy the Authorization code. Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.
  5. Login to the second StoreFront server and launch the management console. In the middle, click Join existing server group.
  6. In the Join Server Group page, enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join.
  7. Then click OK.
  8. Go back to the first server. Click OK.
  9. Notice this message. It is good advice.
  10. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. You do that by right-clicking Server Group and clicking Propagate Changes.
  11. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Store Name – Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.

Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication Service) have reported authentication issues after following this procedure. It’s probably cleaner to uninstall StoreFront and reinstall it.

  1. In the StoreFront console, on the left, click Stores.
  2. Right-click the store, and click Remove Store.
  3. Click Yes.
  4. On the left, right-click Stores, and click Create Store.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two XenDesktop Controllers.
  12. Change the Transport Type to HTTP. Click OK.
  13. If you have multiple XenDesktop farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Or later, you can add farms in Store > Manage Delivery Controllers. Click Next when done.
  14. In the Remote Access page, don’t check the box and click Next. You can set this up later.
  15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next.
  16. In the XenApp Services URL page, click Create.
  17. In the Created Successfully page, click Finish.

SSL Certificate

StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates. There are two options for StoreFront SSL.

  • SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP.
  • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you to use SSL protocol between the load balancer and the StoreFront servers.

If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP.

For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers. Or a wildcard certificate could match all of these names.

In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match for every email domain. Usually the only option to match multiple email domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple Subject Alternative Names, each beginning with discoverReceiver. If you don’t plan on implementing email-based discovery, then you don’t have to worry about these discoverReceiver Subject Alternative Names.

If the certificate does not match, then users will see this message when attempting to use email discovery in Citrix Receiver.

When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the same as the Load Balancing FQDN. The remaining Subject Alternative Names should be for every email domain.

When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.

There are several methods of creating a certificate for StoreFront.

  • If you are implementing Single FQDN for internal and external users, then the certificate for external NetScaler Gateway can also be used for internal StoreFront. Note: Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN.
  • If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You can use IIS to request the certificate. You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy, Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.

  • If all internal machines are domain-joined, then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify Subject Alternative Names.

Once the certificate is created or imported, you need to bind it to IIS:

  1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
  2. Click Add.
  3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name field. Click OK, and then click Close.

Delivery Controllers – SSL

Delivery Controllers can be SSL enabled by using one of two methods:

Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to use SSL when communicating with the Delivery Controllers.

  1. In the StoreFront Console, on the left click Stores.
  2. Right-click the store, and click Manage Delivery Controllers.
  3. Highlight the deployment and click Edit.
  4. The Servers list must contain FQDNs that match the certificates installed on those servers.
  5. Change the Transport type to HTTPS.
  6. Click OK twice.

Socket Pooling

Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a pool of sockets, rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance, particularly for Secure Sockets Layer (SSL) connections. To enable socket pooling:

  1. On the left, click the Stores node.
  2. Right-click the store and click Configure Store Settings.
  3. On the Advanced Settings page, check the box for Enable socket pooling.


Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries:

  • StoreFront Load Balancing FQDN (e.g. = Load Balancing VIP in the local datacenter.
  • NetScaler Gateway Callback FQDN (e.g. = NetScaler Gateway VIP in the local datacenter.

Base URL – Change

  1. Configure load balancing of the StoreFront servers, including SSL certificate.
  2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  3. Enter the StoreFront Load Balancing FQDN as the new Base URL in format. Note: Receiver requires that the Base URL is https. It won’t accept http. Click OK.
    Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the Single FQDN instructions.

If the Base URL is https, but you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to do the following:

  1. On the left click the Stores node.
  2. Right-click the store and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click OK, and then click Close.

Default Web Page

After changing the Base URL, you’ll need to update the IIS Default Website.

  1. On the left, right-click Stores, and click Set Default Website.
  2. Check the box next to Set a Receiver for Web site as the default page in IIS, and click OK.
  3. Click Yes to overwrite.
  4. If you go to C:\inetpub\wwwroot and edit the file web.config, you’ll see the redirect.

Authentication Configuration

  1. In the Citrix StoreFront console, on the left, click the Stores node.
  2. Right-click the store, and click Manage Authentication Methods.
  3. Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.
  4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web, go to a XenDesktop Controller, and run the command
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. Run asnp citrix.* first.

    In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
  5. Click the top gear icon, and then click Configure Trusted Domains.
  6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway.
  7. Select one of the domains as the default.
  8. If desired, check the box next to Show domains list in logon page. Click OK.
  9. Click the top gear icon, and then click Manage Password Options.
  10. Make your selection, and click OK.
  11. Be careful with password changes. Any time somebody changes their password through StoreFront, a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to periodically delete these local profiles.
  12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.
  13. If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset, you can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. This option is only available if your Base URL is https (encrypted). CTX217143 Self-Service Password Reset Central Store Creation Tool. Also see George Spiers Citrix Self-Service Password Reset for a detailed implementation guide.  💡
  14. Change the selection to Citrix SSPR, and click Configure.
  15. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). Click OK three times.
  16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
  17. The logon page also has an Account Self-Service link.

  18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs. Note: StoreFront 3.6 and newer can be workgroup members without joining a domain.

Citrix Online

  1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left click the Stores node.
  2. Right-click the store, and click Configure Store Settings.
  3. On the Citrix Online Integration page, uncheck all three boxes, and click OK.

Unified Receiver Experience

If you did a clean install of StoreFront 3.7, then the newer UI will already be enabled, but Unified Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic UI.

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Receiver Experience page, select Disable classic experience. Click OK and click Close.
  4. On the left, click Stores. Right-click the store, and click Configure Unified Experience.
  5. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

Customize Receiver Appearance

If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Additional customization can be performed using the SDK.

You can also Manage Featured App Groups.

These Featured App Groups are displayed at the top of the Apps > All page.

By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group.

Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.

Receiver for Web Pass-through Authentication

  1. On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click OK.
  4. If the StoreFront URL is in the browser’s Local Intranet zone, then you’ll see a prompt to automatically Log On. This only appears once.

Receiver for HTML5 2.3

  1. On the left click the Stores node.
  2. Right-click the store and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable.
  5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at for more information.
  6. Click OK, and then click Close.
  7. Download the latest Receiver for HTML5 and install it on one of the StoreFront servers. It installs silently. When you propagate changes, the Receiver for HTML5 will be copied to the other server.  💡

  8. To see the installed version of HTML5 Receiver, click the Stores node on the left. In the middle pane, in the bottom half, switch to the Receiver for Web Sites tab.
  9. Optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for HTML5, and not with regular Receiver.
  10. Note: as of Receiver for HTML 2.0, it’s no longer necessary to install App Switcher on the VDAs.


From About Citrix Receiver for Chrome 2.0 at The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.


From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an iPad we are unable to actually tell whether you have the Receiver app installed or not, so we can’t do anything more intelligent out of the box.

There are two ways around this. Firstly, any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on, and choosing “Change Receiver”. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on.

If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5.  See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3.5 for the Javascript code.


If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“. To enable this option in IE or Firefox, see Emin Huseynov Citrix StoreFront 3.0 and HTML5 client.


From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.


Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • How to view HTML5Client log file

Citrix Receivers

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine (plug in).
  4. Change both source drop-downs to Local files on the StoreFront server.
  5. Click both Browse buttons and browse to the downloaded Receiver for Windows 4.6 and Receiver for Mac 12.4.
  6. You can optionally enable Upgrade plug-in at logon.
  7. Click OK when done, and Close when done.
  8. When users connect to Receiver for Web, they will be prompted to install or upgrade. Note: this only applies to Receiver for Web. Receiver Self-Service will not receive this prompt.

Receiver for Web Timeout

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Session Settings page, set the Session timeout as desired and click OK.
  4. If you are using a NetScaler, you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session Time-out (mins). I changed mine to 720, there is a screenshot below for you to reference:

  5. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb to be more than 1 hour, you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
  6. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.

Default Tab

  1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other tabs to add icons to the list of Favorites.

  2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User Subscriptions and choose Disable User Subscriptions (Mandatory Store).

  3. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web Sites > Configure > Client Interface Settings page.
  4. When publishing applications in Studio, specify a Category so the applications are organized into folders.
  5. If you change the default tab to Applications, then you might also want to default to the Categories view instead of the All view.
  6. You can do this by adding the following code to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
    CTXS.Extensions.onViewChange = function (viewName) {
      if (viewName == 'store') {
        window.setTimeout(function () {
        }, 0);

  7. Then when you login to StoreFront you’ll see Apps > Categories as the default view. This works in Receiver too.


  1. On the left, right-click Stores, and click Manage Beacons.
  2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable externally.
    If you are not doing Single FQDN then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally.
    If you are doing Single FQDN, then you can’t use the StoreFront FQDN. Instead, you must use a different internal website for the beacon. If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any internal website.
    If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal Gateway to achieve the same goal.
  3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. You can use any reliable Internet DNS name. Click OK when done.

Propagate Changes

Any time you make a change on one StoreFront server, you must propagate the changes to the other StoreFront server.

  1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  2. You might see a message saying that you made changes on the wrong server.
  3. Click Yes when asked to propagate changes.
  4. Click OK when done.
  5. When you propagate changes, the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Export/Import StoreFront Configuration

Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group:

  • Export-STFConfiguration
  • Import-STFConfiguration

See Export and import the StoreFront configuration at Citrix Docs for details.


To force a published application to be favorited (subscribed), use one of the following keywords in the published application description:

  • KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
  • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite.

With Mandatory applications there is no option to remove the application from Favorites.

Logon Simulator  💡

ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any machine to periodically test app launches from StoreFront.

The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your monitoring tool.

Related Pages

83 thoughts on “StoreFront 3.8 / 3.7 / 3.6 / 3.5 – Basic Configuration”

  1. Hi Carl,

    We are upgrading storefront 3.0 to 3.6 in our environment. Both store front servers are load balanced in Netscaler 10.5 safe harbor build 61.11. Please help how to remove store front servers from netscaler one by one to perform the upgrade activity on the store front servers. Any specific settings we need to take back up of in the netscaler as well.

    1. Service Group? If so, right-click the Service Group, and click Manage Members. You can disable individual servers from here.

      Or you can go to Traffic Manage > LB > Servers and disable the server from here.

  2. Hi Carl. thanks for providing the storefront documentation. I have a question about enabling domain pass through for SSO. Our college’s use thin clients to log on to their VDI (Citrix Xendesktop). The thin clients are configured to use Internet Explorer to access our webportal (storefront url). The thin clients are not domain joined. So, users must enter their credentials. I like to keep it that way. My goal is to accomplish the following. I want to publish some Xenapp applications in the users VDI using the same storefront store. Is enabling domain pass through on the store going to conflict with the thin clients (webportal – storefront url)? I do not want to enable SSO on the thin clients.

    1. If the FQDN is not added to IE’s Local Intranet zone on the thin clients, then there will be no attempt to perform SSON.

      Another option is to create another store so you can hide the published desktop icons.

      1. Creating another store and using your tip (other forum) on changing loopback communication to OnUsingHttp in Storefront did the trick. Thanks a lot Carl.

      2. Hi Carl,
        Can we install storefront server, like zone DDC at my remote location, to connect local Citrix users with the same URL which is in my primary zone storefront FQDN name.

        1. Sure. The tricky part is getting the DNS name to resolve to the local StoreFront instead of remote StoreFront. GSLB can help with that.

  3. Be aware that offloading SSL to the NetScaler StoreFront VIP and using HTTP to the StoreFront web servers will work, but Native Receiver on Mac and Windows will fail if coming through Unified Gateway unless end to end SSL is configured.

  4. HI Carl, I am trying to modify the Desktops to include a machine recycle option where a user can self service a new machine creation, have you tried that? or any suggestions?

        1. I’m not sure what you mean. Machine creation = create new machine? Recycle = reboot machine?

          You might be able to do something with the StoreFront SDK.

          1. There’s nothing built the product. You could write a PowerShell script with a self-service portal. Then maybe integrate that portal to StoreFront using the SDK. Or integrate StoreFront to your portal.

  5. Hello Carl,

    We have a new Citrix Deployment with XenApp 7.11 and Store Front 3.7. We have a requirement to disable TLS v1.0 on all servers. But we have observed that after disabling TLS v1.0 on storefront servers, Citrix Credential wallet service is not running as per the error on store front console. And users cannot login to Citrix. Do you know any fix for this ?


  6. Hi Carl,

    Could you please elaborate further on the beacons section for ipads:

    “If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL”

    I have iPads that connect internal, Storefront is setup as a GSLB URL on Netscaler as we have Storefront servers based in different locations, however the Storefront SSL Cert is a self-signed certificate, so I receive certificate trust issues when connecting Receiver internal on iPads as it is resolving to the internal beacon which is the Storefront LB service URL. Any suggestions?

    External connection is no problem as the AG URL has a trusted public cert.

    1. I typically purchase a public certificate for internal StoreFront so non-domain-joined devices (e.g iPad) will trust the cert.

      You can try an alternative internal beacon and see if it works. But last time I looked at a Receiver for iOS log, it wanted /Citrix/StoreWeb in the Beacon’s URL.

  7. Hi Carl.
    Hope you are doing good. My name is sriram and i am new to Citrix world. I have installed XenDestktop 7.9 which is my DDC and StoreFront Server in server A and my VDA 7.9 and Citrix receiver is installed in another server B. I added Store Front server, created delivery group and associated applications to delivery group. I also created machine catalog and registered my server B which is running VDA on it. Now when i launch citrix receiver in Server B, it says can not connect to target DDC. When i try launching the Citrix WebStore url through chrome browser,i can see Apps i published. But when i access Apps, i get “Can not Start App” error. In the Store Front Server A Event Viewer log, i see “The Citrix servers do not trust the server. This message was reported from the XML Service at address [NFuseProtocol.TRequestAddress]. “.

    I followed this storefront 3.6 configuration again and configured https with out ssl certificate to deliver applications. Base URL is https, but I don’t have certificates installed on the StoreFront servers and enabled loopback communication to Onusinghttp. I can see Apps from my VDA machine server B but i cannot launch any apps that i added manually in my storefront server my pointing to their executables from the path. I tried troubleshooting for oneweek. I can not get the answer. Am i missing something here? Can you please guide”?
    Should i install self-signed certificate in my DDC server A and bind it to default website and copy the same certificate to my VDA or endpoint device as well for both of them to communicate in https to access apps from DDC?

    Please advise.

      1. Hello Carl,
        I removed pass-through authentication and i am just using username and password authentication method using domain users.
        Now when i access the native calculator app published from storefront server, i get the following in EventVwr.log:

        “No available resource found for user fnmp\administrator when accessing desktop group Calculator. This message was reported from the Citrix XML Service at address [NFuseProtocol.TRequestAddress]. ”

        Please guide.


        1. And the warning message i see in the EventViewer log is:

          “to launch the resource ‘Controller.Camera’ using the Citrix XML Service at address ‘’. The XML service returned error: ‘no-available-workstation’.”

          By the way i did not touch beacons and Netscalar gateway part. Do i have to do anything with them?
          Your help is much appreciated and needed!!!


          1. Yes Carl.Machines are registered. And i used Citrix health assistant as well to check the communication between VDA device and DDC. It is successful.

          2. Hello Carl,
            I tried resetting receiver and followed your document receiver setting for windows except for SSON since i don’t need that. But still my citrix receiver do not show any remote applications or sessions in connection center.

            Please advise.

          3. Hello Carl,

            I forgot to mention one thing. my receiver 4.5 and VDA 7.9 are installed on the same machine. And, in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppLibrary , i see only one key value pair:
            “ApplicationStartDetails” point to only one app published from App-V and it’s file location is pointing to location where i copied the App-V .appv file.

            Is this the problem? This AppLibrary must have all the apps listed in Citrix Studio?

            Please help!!

  8. Hi Carl,

    Keywords are not working for xenapp services url however its working for web url.

    Is there any specific setting I need to enable ?

    My storefront running with 3.5 version

    Thank You
    Shekhar Reddy

    1. I don’t think I’ve tried keywords with XenApp Services URL. Why are you doing that instead of Receiver Self-Service?

      1. Hello Carl,

        My requirement is to place published applications shortcuts on user desktop. Therefore i found on internet about the Keywords which can help in this matter. I am not aware of Receiver Self-Service, I can manage the same with this feature ? If possible, could you please share the link or steps for the same.

        Thank you in advance.

        Shekhar Reddy

  9. Do I have to have Netscaler to connect to StoreFront externally? One of my coworkers says that the Netscaler provides encryption but isn’t that what the SSL certificate is for? Whether the certificate is imported to the StoreFront server and/or the Netscaler.

    1. If there is NAT between the users and VDAs, then yes, you need Gateway.

      There are two connections: HTTP and ICA. HTTP is easy. ICA requires Gateway.

  10. Hello Carl, and everyone else.

    We recently installed StoreFront 3.6 next to our StoreFront 2.6.

    One thing we are noticing, is that sometimes users can’t fill in the Username input field.
    Clicking in the Password field, and then pressing shift-tab allows you to type in the Username field.

    At first I though the input cursor simply wasn’t showing, but you really can’t type in the field.

    Is this a known thing perhaps? Can’t find it myself when searching for it (assuming I’m searching correctly).

  11. Hi Carl,
    I have a SF 3.6 front end delivering both xenapp 6.5 and 7.6 apps. My pilot group is on receiver 4.4x and I’m trying to disable session sharing (multiple app sessions from different devices). I have not been able to get this to work in 7.6 with this command > Set-BrokerAppEntitlementPolicyRule Test76 -SessionReconnection SameEndpointOnly.

    Also, how can I do this for 6.5 apps through Storefront?
    Any ideas?

        1. To fix the (disable roaming) issue I ran this via powershell on both of our delivery controllers.

          asnp citrix*
          Set-BrokerAppEntitlementPolicyRule “Delivery Group Name” -SessionReconnection SameEndpointOnly

  12. hi carl,
    I have upgraded my xendesktop from 7.1 to 7.9, and storefront to 3.6,
    since then the storefront session timeout was reset, we get logged off after +- 20 minutes,
    this was previously a setting in the web.config file, this entry is still there after the upgrade and set to 8 hours, now it can also be configured in the gui, there it was set to 4 hours, but we are kicked after <20 minutes, changing it in the gui to 8 hours and replicating config has no effect, session timeout is still <20 minutes, also when changing it to a lower value in the gui, it does not change the setting in the web.config file, so it seems this is stored now somewhere else.
    my storefront is still in classic mode enabled, is it possibe the gui settings only apply when classic mode is disabled ?
    do you have a suggestion where to find the effective value and how to change it ?
    thanks ! igor L.

  13. Thanks Carl, worked just fine.
    Is there a way to find out what users connected to a specific storefront Server?
    some sort of usage stats from specific storefront server.

  14. Carl, have you every ran into issues using a Netscaler VIP as a beacon? I have a client I have configured one-URL internal/external access to Storefront. My internal beacon is and is only resolvable internal. It resolves to a VIP I build on Netscaler listening on port 80. The backend servers for that VIP are the storefront servers, using port 81 (since I am also using Netscaler SSL-Offload for Storefront). I am also using a 302 redirect on IIS for Storefront to go to the main store ( I am having issues with receiver saying “could not contact internal” I am thinking about changing my backend services on the beacon VIP to point to the DDC’s running director (port 80). so the beacon is port 80 all the way through to see if it solves the issue. Not sure if the issue with with the 302 redirect or the change from http to https.


    1. Are you able to get a Fiddler trace while Receiver is enumerating beacons? Or maybe a network trace on the NetScalers?

      What do you see in the Receiver logs? I use Receiver Troubleshooter to capture a CDF trace. Then I use CDFControl to parse it.

      1. Carl, I actually got me answer here: 57 minutes in to the video there is a glorious explanation of Beacons and how they are used by receiver.

        So in my case: = BAD! (will disrupt internal beaconing) (because I just used my backend SF servers on the beacon for HA.

        If I change the beacon to = GOOD! (will not disrupt internal beaconing).

        The basic idea is that with beaconing, the URI of a website on the beacon CANNOT change, otherwise Receiver thinks you are behind a paywall, and basically receiver breaks w/ no error.

        So simply changing the beacon in SF to the Director VIP should work in storefront. I am going to try that today.

        1. Sorry some of this didn’t paste right into the comment section. having a 302 redirect to a different URI on an internal beacon breaks receiver basically.

  15. Hi Carl been reading your SF and Netscaler Gateway configuration documents to build my lab and I’ve been having some issues. I am using XD 7.6 and SF 3.6. I have 2 win10 VMs that are setup for PVS boot. Internally, (on the private network) I can login to my VM01 and get to my SF site and authenticate. I can stream my other VM (VM02) image with no problem.

    My problem is when I come through Netscaler GW. I have a Virtual server setup w/ a public IP and configured it based on your NSG config guide. I hit my SF site from the public internet and autheniticate just fine. I see my Windows 10 desktop and click to launch my ICA session. After the window opens that appears to be streaming my desktop I receive an error “The connection to “Windows 10 Users Group” failed with status. (There is no Citrix XenApp server configured on the specified address).

    I am not even using XenApp so I am not sure where it’s getting the error from. Any ideas what my problem could be? I’ve looked at my SF configuration, I’ve looked at the Netscaler config but nothing stands out. There are a couple things which are a bit strange like the “session policy web interface address” settings on the Virtual Server throws an HTTP 1.1 43531 error when using an FQDN ( If however, the “session policy web interface address” setting is set to (https://IP address/Citrix/SFWeb) then it displays my resources (desktops/apps etc).

    I’ve ran out of ideas so decided to post to see if you had any clues. I saw your post here “” which referenced the same error but was wondering if you could elaborate on the fix you mentioned “If StoreFront, you would need to deploy a NetScaler Gateway appliance to proxy the ICA traffic through one NAT’d IP address.”

    1. Are you trying to run the ICA connection through NetScaler Gateway?

      Is this problem in browser, Receiver, or both?

      Use to save the launch.ica file. Make sure there’s an SSLProxyHost entry. That means it’s using Gateway. If not, then there might be a DNS problem. StoreFront event viewer sometimes indicates if the connection is coming through Gateway or not.

      1. Hi Carl.

        I have the same problem. I access our XenApp 6.5 farm from the internet with the IE browser. The ica file doesn’t contain the SSLProxyHost entry and the address shows a private ip address from the XenApp server. any clue?

        Br. Ivo

          1. To proxy ICA through Gateway, in StoreFront, you need a Gateway set to HDX Routing. This causes StoreFront to replace internal IP with Gateway FQDN.

          2. when I set the Netscaler gateway to Authentication and hdx routing on the storefront server the access field says “Internal network only”. Is this right?
            I have set the Secure Ticket Authority servers to
            Those are the same servers as I have defined in NetScaler Gateway -> Virtual Servers -> name -> published applications

            When I start a published application I get the message: App “Calculator can’t be started”
            On the storefront server i get errors in the event viewer beneath Citrix Delivery Services

            Event 1
            The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address [CtxSTAProtocol.TRequestTicket]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.
            Event 2
            All the configured Secure Ticket Authorities failed to respond to this XML transaction:,
            Event 3
            Failed to launch the resource ‘Controller.Calculator’, unable to obtain a ticket from the configured Secure Ticket Authorities.

            The xml brokers are running on my xenapp controllers on port 8080. I am not able to define any ports when I configure the Secure Ticket Authority server on the storefront serer store (netscaler gateway settings).
            Our should this always talk on port 433 https?

            BR. Ivo

  16. Carl,

    The screenshots don’t match the text starting from the section “Delivery Controllers – SSL”
    all the way down to “Receiver for Web Pass-through Authentication”

    Best regards,


  17. Thanks Carl..I am facing an issue with additional Windows sign-in prompt even after authenticating to store front URL, when launching the application.. Do you know who to fix this issue??? I configured storefront and Citrix studio.

    1. Are you doing Single Sign-on to StoreFront? If so, you also need to configure Single Sign-on in Receiver?

      Or maybe you have RDP Prompt for Password enabled in a GPO somewhere.

      1. Thanks alot carl for your quick response. I found the root cause,

        Brief introduction to problem: I configured 2 delivery controllers, 2 store front servers and 1 xenapp 7.7 VDA (session host server (Server 2012 R2)). Created machine catalog and delivery group and installed applications, Published application using citrix studio. When launching the application, i am getting additional windows prompt.

        Solution: On xenapp 7.7 VDA (session host server). Earlier, I did not configured the role – Remote Desktop Services on that server. Now, I configured Remote Desktop Services Configuration for server 2012 R2. Click on Remote Desktop Services and clicked on Session collection and changed the security settings to Security Layer: RDP Security Layer; Encryption Level: Low and Unchecked “Allow Connections only from Computers running Remote Desktop with network level authentication”. That solved the problem.

        P.S: Click on the article below to navigate to RDS Basic configuration (Go to iv (a))

  18. Carl, at the configuration stage, you mention the command Set-ExecutionMode RemoteSigned
    This should be Set-ExecutionPolicy RemoteSigned

  19. All, Is there any way that I can hide all “Apps” under Application tab, and only want “Featured App Group” to display.

    Thank you,

    Vinh Le

      1. Thanks Carl, I finally figured out what the issue was. The Web.Config was not replicated so I manually did it.

  20. Carl I noticed this with 3.5. I create the first store and Receiver for website. I then create the second store and receiver for website. I logoff the server and logon and then the second receiver for website is now located under the first store. Have you seen this?

  21. Just a hint for any that are trying an in place upgrade from 3.x to 3.5 as I have…. Post upgrade I couldn’t launch any apps. couldn’t find any hints on line but digging through the console I found that I had to set up site aggregation, as we have multiple Citrix farms…… this is a new option under the ‘Manage Delivery Controllers’ window.

      1. This is now disabled by default and you have to set them by going into “Manage Receiver for Web Sites” and then under “Workspace Control” there is 2 check boxes for the Reconnect button and Disconnect button. Once on at the main Storefront windows where your username is the drop down menu will now have the 2 options.

  22. I installed 3.5 also, but found thee “bugs”.

    But I mis something on the front page of StoreFront.
    I enable Workspace Control.
    But on the StoreFront page, when I log on, there’s (as example) no reconnect button.
    Do you missing that also?

    And I enable account-selfservice.
    I have to fill in my domain\username. That’s not ideal for users to fill in our domein name.

    And last one.
    I configured Storefront te communicate with XA65 controllers/xml brokers.
    But I can’t log in. I get a message: Could not load error message when I start a Desktop.

Leave a Reply