StoreFront 3.5 through 3.9 – Basic Configuration

Last Modified: Mar 29, 2017 @ 1:10 pm

Navigation

This article applies to StoreFront versions 3.5, 3.6, 3.7,  3.8, and 3.9.

💡 = Recently Updated

StoreFront Installation / Upgrade

The XenApp/XenDesktop 7.13 ISO comes with StoreFront 3.9. Or you can download it from https://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-39.html.

You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront 3.9 on dedicated servers.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB RAM.

Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is installed first.

  1. If upgrading do the following before beginning the upgrade:
    1. Export the StoreFront configuration so you can restore it if something goes wrong.
    2. Stop the World Wide Web Publishing Service.
    3. Stop all StoreFront services.
    4. Close all PowerShell and StoreFront consoles.
    5. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service. Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack Agent Service is Running.
    6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix StoreFront 3.5
  2. Go to the downloaded Citrix StoreFront 3.9 and run CitrixStoreFront-x64.exe.
  3. Or you can install from the 7.13 ISO by running AutoSelect.exe.

  4. In the License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Review prerequisites page, click Next.
  6. In the Ready to install page, click Install.
  7. In the Successfully installed StoreFront page, click Finish.

If this is a new install, skip to the Initial Configuration.

After upgrading from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:

  1. In the StoreFront Console, on the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Receiver Experience page select Disable classic experience.
  4. Once classic experience is disabled, you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done.

  5. Go to Stores. Right-click the Store, and click Configure Unified Experience.
  6. Check the box next to Set the unified Receiver experience as the default for this store, and click OK.
  7. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

If you are upgrading to StoreFront 3.9, do the following to add SAML Authentication as an option. This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. If you did a fresh deployment of 3.9, then SAML is already added.

  1. Right-click the Store, and click Manage Authentication Methods.
  2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
  3. Check the box next to SAML Authentication, and click OK.
  4. If you don’t want to configure SAML at this time, then uncheck the authentication method. See the Federated Authentication Service article for SAML details.

Initial Configuration

In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to create the stores.

You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.

If this is a new deployment of StoreFront, do the following to perform the initial configuration:

  1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.
  2. The management console should launch automatically. If not, launch Citrix StoreFront from the Start Menu.
  3. In the middle, click Create a new deployment.
  4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the Hostname should already be filled in. For now, you can leave it set to the server name and then change it later once you setup SSL and load balancing. Click Next.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two XenDesktop Controllers. Change the Transport Type to HTTP. Click OK.
  12. If you have multiple XenDesktop sites/farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Click Next when done.
  13. In the Remote Access page, don’t check the box, and click Next. You can set this up later.
  14. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next. Note: if you want Domain pass-through for browser users, you also need to enable it for Receiver for Web as detailed later in this topic.
  15. In the XenApp Services URL page, click Create.
  16. In the Summary page, click Finish.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail.

  1. Install StoreFront on the second server.
  2. Create/Import the SSL certificate, and bind it to the Default Web Site.
  3. Login to the first StoreFront server. In the StoreFront management console, right-click Server Group, and click Add Server.
  4. Copy the Authorization code. Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.
  5. Login to the second StoreFront server and launch the management console. In the middle, click Join existing server group.
  6. In the Join Server Group page, enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join.
  7. Then click OK.
  8. Go back to the first server. Click OK.
  9. Notice this message. It is good advice.
  10. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. You do that by right-clicking Server Group and clicking Propagate Changes.
  11. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Customer Experience Improvement Program  💡

StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.

See http://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional places where CEIP is enabled.

Store Name – Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.

Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication Service) have reported authentication issues after following this procedure. It’s probably cleaner to uninstall StoreFront and reinstall it.

  1. In the StoreFront console, on the left, click Stores.
  2. Right-click the store, and click Remove Store.
  3. Click Yes.
  4. On the left, right-click Stores, and click Create Store.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL path.
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop.
  11. Add the two XenDesktop Controllers.
  12. Change the Transport Type to HTTP. Click OK.
  13. If you have multiple XenDesktop farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Or later, you can add farms in Store > Manage Delivery Controllers. Click Next when done.
  14. In the Remote Access page, don’t check the box and click Next. You can set this up later.
  15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next.
  16. In the XenApp Services URL page, click Create.
  17. In the Created Successfully page, click Finish.

SSL Certificate

StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates. There are two options for StoreFront SSL.

  • SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP.
  • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you to use SSL protocol between the load balancer and the StoreFront servers.

If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP.

For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers. Or a wildcard certificate could match all of these names.

In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match discoverReceiver.email.suffix for every email domain. Usually the only option to match multiple email domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple Subject Alternative Names, each beginning with discoverReceiver. If you don’t plan on implementing email-based discovery, then you don’t have to worry about these discoverReceiver Subject Alternative Names.

If the certificate does not match discoverReceiver.email.suffix, then users will see this message when attempting to use email discovery in Citrix Receiver.

When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the same as the Load Balancing FQDN. The remaining Subject Alternative Names should be discoverReceiver.email.suffix for every email domain.

When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.

There are several methods of creating a certificate for StoreFront.

  • If you are implementing Single FQDN for internal and external users, then the certificate for external NetScaler Gateway can also be used for internal StoreFront. Note: Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN.
  • If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You can use IIS to request the certificate. You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy, Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.

  • If all internal machines are domain-joined, then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify Subject Alternative Names.

Once the certificate is created or imported, you need to bind it to IIS:

  1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
  2. Click Add.
  3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name field. Click OK, and then click Close.

Delivery Controllers – SSL

Delivery Controllers can be SSL enabled by using one of two methods:

Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to use SSL when communicating with the Delivery Controllers.

  1. In the StoreFront Console, on the left click Stores.
  2. Right-click the store, and click Manage Delivery Controllers.
  3. Highlight the deployment and click Edit.
  4. The Servers list must contain FQDNs that match the certificates installed on those servers.
  5. Change the Transport type to HTTPS.
  6. Click OK twice.

Socket Pooling

Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a pool of sockets, rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance, particularly for Secure Sockets Layer (SSL) connections. To enable socket pooling:

  1. On the left, click the Stores node.
  2. Right-click the store and click Configure Store Settings.
  3. On the Advanced Settings page, check the box for Enable socket pooling.

HOSTS File

Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries:

  • StoreFront Load Balancing FQDN (e.g. storefront.corp.com) = Load Balancing VIP in the local datacenter.
  • NetScaler Gateway Callback FQDN (e.g. callback.corp.com) = NetScaler Gateway VIP in the local datacenter.

Base URL – Change

  1. Configure load balancing of the StoreFront servers, including SSL certificate.
  2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  3. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront.corp.com format. Note: Receiver requires that the Base URL is https. It won’t accept http. Click OK.
    Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the Single FQDN instructions.

If the Base URL is https, but you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to do the following:

  1. On the left click the Stores node.
  2. Right-click the store and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click OK, and then click Close.

Default Web Page

After changing the Base URL, you’ll need to update the IIS Default Website.

  1. On the left, right-click Stores, and click Set Default Website.
  2. Check the box next to Set a Receiver for Web site as the default page in IIS, and click OK.
  3. Click Yes to overwrite.
  4. If you go to C:\inetpub\wwwroot and edit the file web.config, you’ll see the redirect.

Authentication Configuration

  1. In the Citrix StoreFront console, on the left, click the Stores node.
  2. Right-click the store, and click Manage Authentication Methods.
  3. Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.
  4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web, go to a XenDesktop Controller, and run the command
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. Run asnp citrix.* first. In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
  5. Click the top gear icon, and then click Configure Trusted Domains.
  6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway.
  7. Select one of the domains as the default.
  8. If desired, check the box next to Show domains list in logon page. Click OK.
  9. Click the top gear icon, and then click Manage Password Options.
  10. Make your selection, and click OK.
  11. Be careful with password changes. Any time somebody changes their password through StoreFront, a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to periodically delete these local profiles.
  12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.
  13. If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset, you can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. This option is only available if your Base URL is https (encrypted). CTX217143 Self-Service Password Reset Central Store Creation Tool. Also see George Spiers Citrix Self-Service Password Reset for a detailed implementation guide.
  14. Change the selection to Citrix SSPR, and click Configure.
  15. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). Click OK three times.
  16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
  17. The logon page also has an Account Self-Service link.

  18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs. Note: StoreFront 3.6 and newer can be workgroup members without joining a domain.

Citrix Online

  1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left click the Stores node.
  2. Right-click the store, and click Configure Store Settings.
  3. On the Citrix Online Integration page, uncheck all three boxes, and click OK.

Unified Receiver Experience

If you did a clean install of StoreFront 3.5 or newer, then the newer UI will already be enabled, but Unified Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic UI to enable the newer UI.

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Receiver Experience page, select Disable classic experience. Click OK, and click Close.
  4. On the left, click Stores. Right-click the store, and click Configure Unified Experience.
  5. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

Customize Receiver Appearance

If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Additional customization can be performed using the SDK.

You can also Manage Featured App Groups.

These Featured App Groups are displayed at the top of the Apps > All page.

By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group.

Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.

Receiver for Web Pass-through Authentication

  1. On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click OK.
  4. If the StoreFront URL is in the browser’s Local Intranet zone, then you’ll see a prompt to automatically Log On. This only appears once.

Receiver for HTML5 2.3

  1. On the left click the Stores node.
  2. Right-click the store and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable.
  5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at docs.citrix.com for more information.
  6. Click OK, and then click Close.
  7. Download the latest Receiver for HTML5 and install it on one of the StoreFront servers. It installs silently. When you propagate changes, the Receiver for HTML5 will be copied to the other server.

  8. To see the installed version of HTML5 Receiver, click the Stores node on the left. In the middle pane, in the bottom half, switch to the Receiver for Web Sites tab.
  9. Optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for HTML5, and not with regular Receiver.
  10. Note: as of Receiver for HTML 2.0, it’s no longer necessary to install App Switcher on the VDAs.

 

From About Citrix Receiver for Chrome 2.0 at Citrix Docs: The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.

 

From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an iPad we are unable to actually tell whether you have the Receiver app installed or not, so we can’t do anything more intelligent out of the box.

There are two ways around this. Firstly, any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on, and choosing “Change Receiver”. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on.

If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5.  See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3.5 for the Javascript code.

 

If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“. To enable this option in IE or Firefox, see Emin Huseynov Citrix StoreFront 3.0 and HTML5 client.

 

From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.

 

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • How to view HTML5Client log file

Deploy Citrix Receivers

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine (plug in).
  4. Change both source drop-downs to Local files on the StoreFront server.
  5. Click both Browse buttons and browse to the downloaded Receiver for Windows 4.7 and Receiver for Mac 12.5.
  6. You can optionally enable Upgrade plug-in at logon.
  7. Click OK when done, and Close when done.
  8. When users connect to Receiver for Web, they will be prompted to install or upgrade. Note: this only applies to Receiver for Web. Receiver Self-Service will not receive this prompt.

Receiver for Edge  💡

The Receiver for Web experience in Microsoft Edge is not ideal. Every time a user clicks an icon, the user has the click the Open button after the .ica file is downloaded.

Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling the Receiver Launcher for Edge. Use your preferred text editor to open web.config for the RfWeb site you would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web.config). Locate the line like this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).*((Firefox/((5[3-9]|[6789][0-9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!.*Edge)". Remove (?!.*Edge) and save the file.

But once you do that, you get a new switch apps prompt every time you launch an icon from Edge.

To stop the switch apps pop-up, on the client side, edit the registry, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys), create DWORD value WarnOnOpen, and set it to 0 (zero).

Receiver for Firefox 52  💡

Firefox 52 disabled NPAPI plug-in, which means Firefox 52 can no longer detect the locally installed Citrix Receiver, and users will be prompted to install it. StoreFront 3.8 and newer already fixes this for Firefox 53, but not for Firefox 52.

To fix this in StoreFront 3.8 and newer, go to C:\Inetpub\wwwroot\Citrix\StoreWeb, and edit the web.config file with an elevated text editor.

Search for protocolHandler. In the Firefox section, change 5[3 to 5[2. This causes the Protocol Handler to work in Firefox 52 and newer.

Now when users connect, they are prompted to Detect Receiver, just like Chrome.

Receiver for Web Timeout

  1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
  2. Click Configure.
  3. On the Session Settings page, set the Session timeout as desired, and click OK.
  4. If you are using a NetScaler, you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session Time-out (mins). I changed mine to 720, there is a screenshot below for you to reference:


  5. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb to be more than 1 hour, you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
  6. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.

Default Tab

  1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other tabs to add icons to the list of Favorites.



  2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

  3. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web Sites > Configure > Client Interface Settings page.
  4. When publishing applications in Studio, specify a Category so the applications are organized into folders.
  5. If you change the default tab to Applications, then you might also want to default to the Categories view instead of the All view.
  6. You can do this by adding the following code to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at Storefront 3.0 – change default view at Citrix Discussions.
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
         CTXS.ExtensionAPI.navigateToFolder('/');
    };
    
    CTXS.Extensions.onViewChange = function (viewName) {
      if (viewName == 'store') {
        window.setTimeout(function () {
        CTXS.ExtensionAPI.navigateToFolder('\\');
        }, 0);
      }
    };
    

  7. Then when you login to StoreFront you’ll see Apps > Categories as the default view. This works in Receiver too.

Beacons

  1. On the left, right-click Stores, and click Manage Beacons.
  2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable externally.
    If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally.
    If you are doing Single FQDN, then you can’t use the StoreFront FQDN. Instead, you must use a different internal website for the beacon. If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any internal website.
    If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal Gateway to achieve the same goal.
  3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. You can use any reliable Internet DNS name. Click OK when done.

Propagate Changes

Any time you make a change on one StoreFront server, you must propagate the changes to the other StoreFront server.

  1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  2. You might see a message saying that you made changes on the wrong server.
  3. Click Yes when asked to propagate changes.
  4. Click OK when done.
  5. When you propagate changes, the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Export/Import StoreFront Configuration

Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group:

  • Export-STFConfiguration
  • Import-STFConfiguration

See Export and import the StoreFront configuration at Citrix Docs for details.

Auto-Favorite

To force a published application to be favorited (subscribed), use one of the following keywords in the published application description:

  • KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
  • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite.

With Mandatory applications there is no option to remove the application from Favorites.

Logon Simulator

ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any machine to periodically test app launches from StoreFront.

The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your monitoring tool.

Related Pages

112 thoughts on “StoreFront 3.5 through 3.9 – Basic Configuration”

  1. Hi, I have a ‘potentially’ simple question….. 🙂 we have citrix farms in 2 domains (post a company merger) and i am trying to consolidate access on storefront. I have read you posts on ways to get external access via the netscaler to authenticate against both domains and we are testing that now (Thanks! 🙂 )
    So I am now looking internally for users who are accessing storefront directly, not through the netscaler. what I find is that although SSON allows them to automatically log in to the SF 3.8 server web site, it will only show them apps from the Citrix farms in their domain. if we use manual logon we can see apps from both domains.
    I know there were issues with multidomain and SSON in web interface. Is this just a restriction that cant be fixed? I don’t really want to have to make all users use manual authentication… apologies if this already covered anywhere, I have trawled the internet as usual and found nothing 🙁

      1. yes, and it fails in both directions, so if a user logs in with SSON in domain 1 they only see domain 1 apps and vice versa. but if users log on explicitly to either domain they see apps from both domains. Also affects Receiver retrieving apps for the start menu, which is a bigger problem for me as we could probably live with an explicit logon to the web site 🙁

          1. I hadn’t seen that one, a very interesting and indepth article 🙂
            We have separate forests with 2 way trusts. as we have not tried to combine the citrix farms at all there is no adding vda’s from one domain to a farm in the other – which is a releif! 🙂
            I think we have the config correct as far as the trusts etc, because when we use explicit logon everything is correct and we can see and launch apps and vda desktops from both sides – it’s just using SSON that things go wrong 🙁

  2. Hi,
    I have installed version 3.9 in work-group configuration. There are some differences from domain configuration .
    It is installed in a dual hop Netscaler (v11) configuration and is set up to use two factor authentication; first user logs on with rsa token and is directed to the storefront page which then prompts for AD credentials and logs the user on. This works great in a browser using the plugin, but when using Citrix receiver it does not. Reason is that i am able to deselect pass-through from Netscaler Gateway under Manage receiver for web. However that is not possible under the main store.
    Sure, it looks like it is, but after deselecting that option and refreshing the store it disables remote access and shows access to internal networks only.
    Citrix support said it is by design and forwarded me a link to their SDK. To me it looks like a bug.
    Has anyone seen this?
    Is there a workaround?

    Thoughts?

    Thanks,
    Chris

  3. Hi Carl,

    Could you suggest me on the following approach?

    I have 2 SF servers (v2.6) in a server group, they are running Server 2012 R2 with active user subscriptions. StoreFront is load balanced using NetScaler and most of the users access application through Citrix Receiver client using services site. Store is configured through GPO on the user machines.

    I want to upgrade the StoreFront to v3.9 without any user impact.

    1. Build 2 new SF servers running Windows server 2016 and SF version 2.6. As subscriptions from v2.6 is not compatible with v3.9 and powershell command lets for subscription export/import are different for these versions
    2. Export subscriptions from existing prod servers and import them to new server group. Verify if everything works
    3. If everything is working, upgrade the SF servers to version 3.9 with subscriptions
    4. Validate and add new servers to LB VIP if everything is working as expected
    5. Flip the load by disabling old servers and enabling new servers in the load balancer

    I will have a clear fallback plan if this doesn’t work. As i am retaining the base URL, store name and LB VIP, this change will be seam less for end users other than look and feel of new StoreFront.

    I dont see SF configuration export command for v2.6, do we have one so that I can use to export/import configurations while building new SF server group identical to prod servers.

    Thanks.

    1. I think config export/import only came with 3.x.

      Also, will 2.6 install on 2016? You might have to upgrade to 3.x on your 2012 servers before you can add 2016 to the server group.

      Or, build a new 2016 server group with 3.9, export/import the subscriptions, then swap out on load balancer.

      Why do you think that subscriptions can’t be moved to a new StoreFront? Did your testing reveal that it doesn’t work?

      1. SF subscriptions export command is different in 2.6 and in newer versions. Export in 2.6 generates a csv file whereas the same in newer version is txt file. So i am not sure whether the csv file contents will be imported in the newer version.

        I am going to try importing subscriptions in 3.9 and update you on how it goes.

        1. I exported subscriptions from SF 2.6 server as txt file and imported them on new SF 3.9 server. Import went fine with few warnings, i also exported subscriptions from SF3.9 server to verify that all the contents are imported. File size from prod and new server are same.

          But I dont see favorites when i login to new SF Receiver for web site, it just has the mandatory subscriptions.

          I followed your blog for import/export, however i didn’t see the event ID 3 (Task 2901) in the SF event logs.

          We have aggregation configured in Prod SF server, but i didn’t have it configured on the SF3.9 test server. When i read the subscriptions.txt file, all the entries have AggregationGroup before the published icon name. Will this cause an issue with favorites?

          1. The farm names (Manage Delivery Controllers) or Aggregation Groups need to be the same. You can easily edit the .txt file to match your new farm/aggregation names.

          2. I was able to resolve the issue by configuring Aggregation group and changing the default aggregation group name to match my production one. Now I see all the subscribed icons in new SF3.9 server. Thanks.

  4. Carl,
    I have a customer who wants to have different timeout’s. A long timeout for internal users and a short (15 Min) timeout if coming across the NetScaler (external).

    I have a SF VIP on the NetScaler. They would like to have the external timeout not only log them out of the website but also close any open applications. Any suggestions on how to accomplish this?

    1. You might need separate Delivery Groups for internal vs external. Otherwise you run into the issue of how to handle reconnecting to an existing session.

      1. I was looking at the “Access Control” based policies, but didn’t consider if a user comes from external to internal they will have a shorter timeout on the reconnect.

        Does the NetScaler session timeout or Service timeout also close the App or is that only the session timer?

  5. Hi Carl,

    You say : The XenApp/XenDesktop 7.13 ISO comes with StoreFront 3.8 but in fact it comes with StoreFront 3.9.

    Keep up the good work !

  6. Hi Carl,

    At times we get the following error when launching our VDI on 7.12 “The connection to “Windows – 7 IMAGE” failed with status (unknown client error 1110) from IE (or chrome). This happens to different version of receiver, but if i try it from a different browser (chrome or from chome to IE) it connects or if i reboot my laptop or desktop i am able to connect with no issue. I have a ticket open with citrix just curious if you are aware of any configuration i should double check on storefront or the controller? This is new setup, so i’m not sure if i missed something during the configuration.

  7. Hi, Another question on SF 3.8 :).. What i have found is that if users manually authenticate to the web site then they are presented the options to change their password – as per my config. however if they use pass through authentication the change password option is not present. Is this a restriction of the system or is there something i am missing in the config?

    cheers

    1. If doing pass-through auth, shouldn’t password changes be performed on the workstation instead of in StoreFront?

      1. A perfectly valid point 🙂 I am struggling now to remember the use case for this that was put forward! 🙂

    2. Hi Dave, yes this is a safety restriction of the system. If you are using Domain Pass-through authentication to StoreFront then your current password is cached on the end point where you logged into the domain, and if we let you change it via StoreFront you may hit an account lockout because the cached password copies on the end point running Receiver are now stale. (Whether and how quickly you would see account lockout depends on whether NTLM authentication is being attempted from the end point, when and how much, or whether you launch more things from Receiver. But with the defaults most customers use for lockout it is a significant risk.)

      You should change the password by instead typing Ctrl+Alt+Del; this will update the password cached by Receiver as well as that cached by the OS.

    1. You can configure GSLB for StoreFront URL, yes. PNAgent can use that URL. You’ll need persistence on the GSLB vServer. Citrix tells me that Cookie-based GSLB Service persistence (redirect or proxy) should work with regular Receiver, but I’m not sure about PNAgent. Or you can simply enable Source IP persistence on the GSLB vServer.

  8. Upgrading Storefront from 3.6 to 3.8 loses some configuration settings. I revert and try again after exporting and importing the config using the below scripts but same results. Remote access, trusted domains etc.. are gone.

    Export-STFConfiguration -targetFolder “$env:userprofile\desktop\” -zipFileName “backup” -NoEncryption
    Import-STFConfiguration -configurationZip “$env:userprofile\desktop\backup.zip”

  9. Hi Carl,

    We are upgrading storefront 3.0 to 3.6 in our environment. Both store front servers are load balanced in Netscaler 10.5 safe harbor build 61.11. Please help how to remove store front servers from netscaler one by one to perform the upgrade activity on the store front servers. Any specific settings we need to take back up of in the netscaler as well.

    1. Service Group? If so, right-click the Service Group, and click Manage Members. You can disable individual servers from here.

      Or you can go to Traffic Manage > LB > Servers and disable the server from here.

  10. Hi Carl. thanks for providing the storefront documentation. I have a question about enabling domain pass through for SSO. Our college’s use thin clients to log on to their VDI (Citrix Xendesktop). The thin clients are configured to use Internet Explorer to access our webportal (storefront url). The thin clients are not domain joined. So, users must enter their credentials. I like to keep it that way. My goal is to accomplish the following. I want to publish some Xenapp applications in the users VDI using the same storefront store. Is enabling domain pass through on the store going to conflict with the thin clients (webportal – storefront url)? I do not want to enable SSO on the thin clients.

    1. If the FQDN is not added to IE’s Local Intranet zone on the thin clients, then there will be no attempt to perform SSON.

      Another option is to create another store so you can hide the published desktop icons.

      1. Creating another store and using your tip (other forum) on changing loopback communication to OnUsingHttp in Storefront did the trick. Thanks a lot Carl.

      2. Hi Carl,
        Can we install storefront server, like zone DDC at my remote location, to connect local Citrix users with the same URL which is in my primary zone storefront FQDN name.

        1. Sure. The tricky part is getting the DNS name to resolve to the local StoreFront instead of remote StoreFront. GSLB can help with that.

  11. Be aware that offloading SSL to the NetScaler StoreFront VIP and using HTTP to the StoreFront web servers will work, but Native Receiver on Mac and Windows will fail if coming through Unified Gateway unless end to end SSL is configured.

  12. HI Carl, I am trying to modify the Desktops to include a machine recycle option where a user can self service a new machine creation, have you tried that? or any suggestions?

        1. I’m not sure what you mean. Machine creation = create new machine? Recycle = reboot machine?

          You might be able to do something with the StoreFront SDK.

          1. There’s nothing built the product. You could write a PowerShell script with a self-service portal. Then maybe integrate that portal to StoreFront using the SDK. Or integrate StoreFront to your portal.

  13. Hello Carl,

    We have a new Citrix Deployment with XenApp 7.11 and Store Front 3.7. We have a requirement to disable TLS v1.0 on all servers. But we have observed that after disabling TLS v1.0 on storefront servers, Citrix Credential wallet service is not running as per the error on store front console. And users cannot login to Citrix. Do you know any fix for this ?

    Thanks
    Rajesh

  14. Hi Carl,

    Could you please elaborate further on the beacons section for ipads:

    “If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL”

    I have iPads that connect internal, Storefront is setup as a GSLB URL on Netscaler as we have Storefront servers based in different locations, however the Storefront SSL Cert is a self-signed certificate, so I receive certificate trust issues when connecting Receiver internal on iPads as it is resolving to the internal beacon which is the Storefront LB service URL. Any suggestions?

    External connection is no problem as the AG URL has a trusted public cert.

    1. I typically purchase a public certificate for internal StoreFront so non-domain-joined devices (e.g iPad) will trust the cert.

      You can try an alternative internal beacon and see if it works. But last time I looked at a Receiver for iOS log, it wanted /Citrix/StoreWeb in the Beacon’s URL.

  15. Hi Carl.
    Hope you are doing good. My name is sriram and i am new to Citrix world. I have installed XenDestktop 7.9 which is my DDC and StoreFront Server in server A and my VDA 7.9 and Citrix receiver is installed in another server B. I added Store Front server, created delivery group and associated applications to delivery group. I also created machine catalog and registered my server B which is running VDA on it. Now when i launch citrix receiver in Server B, it says can not connect to target DDC. When i try launching the Citrix WebStore url through chrome browser,i can see Apps i published. But when i access Apps, i get “Can not Start App” error. In the Store Front Server A Event Viewer log, i see “The Citrix servers do not trust the server. This message was reported from the XML Service at address http://W2012R2X64-SRI.fnmp.com/scripts/wpnbr.dll [NFuseProtocol.TRequestAddress]. “.

    I followed this storefront 3.6 configuration again and configured https with out ssl certificate to deliver applications. Base URL is https, but I don’t have certificates installed on the StoreFront servers and enabled loopback communication to Onusinghttp. I can see Apps from my VDA machine server B but i cannot launch any apps that i added manually in my storefront server my pointing to their executables from the path. I tried troubleshooting for oneweek. I can not get the answer. Am i missing something here? Can you please guide”?
    Should i install self-signed certificate in my DDC server A and bind it to default website and copy the same certificate to my VDA or endpoint device as well for both of them to communicate in https to access apps from DDC?

    Please advise.

      1. Hello Carl,
        I removed pass-through authentication and i am just using username and password authentication method using domain users.
        Now when i access the native calculator app published from storefront server, i get the following in EventVwr.log:

        “No available resource found for user fnmp\administrator when accessing desktop group Calculator. This message was reported from the Citrix XML Service at address http://W2012R2X64-SRI.fnmp.com/scripts/wpnbr.dll [NFuseProtocol.TRequestAddress]. ”

        Please guide.

        Sriram

        1. And the warning message i see in the EventViewer log is:

          “to launch the resource ‘Controller.Camera’ using the Citrix XML Service at address ‘http://W2012R2X64-SRI.fnmp.com/scripts/wpnbr.dll’. The XML service returned error: ‘no-available-workstation’.”

          By the way i did not touch beacons and Netscalar gateway part. Do i have to do anything with them?
          Your help is much appreciated and needed!!!

          Thanks,
          Sriram

          1. Yes Carl.Machines are registered. And i used Citrix health assistant as well to check the communication between VDA device and DDC. It is successful.

          2. Hello Carl,
            I tried resetting receiver and followed your document receiver setting for windows except for SSON since i don’t need that. But still my citrix receiver do not show any remote applications or sessions in connection center.

            Please advise.
            Thanks,
            Sriram

          3. Hello Carl,

            I forgot to mention one thing. my receiver 4.5 and VDA 7.9 are installed on the same machine. And, in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppLibrary , i see only one key value pair:
            “ApplicationStartDetails” point to only one app published from App-V and it’s file location is pointing to location where i copied the App-V .appv file.

            Is this the problem? This AppLibrary must have all the apps listed in Citrix Studio?

            Please help!!
            Sriram

  16. Hi Carl,

    Keywords are not working for xenapp services url however its working for web url.

    Is there any specific setting I need to enable ?

    My storefront running with 3.5 version

    Thank You
    Shekhar Reddy

    1. I don’t think I’ve tried keywords with XenApp Services URL. Why are you doing that instead of Receiver Self-Service?

      1. Hello Carl,

        My requirement is to place published applications shortcuts on user desktop. Therefore i found on internet about the Keywords which can help in this matter. I am not aware of Receiver Self-Service, I can manage the same with this feature ? If possible, could you please share the link or steps for the same.

        Thank you in advance.

        Regards,
        Shekhar Reddy

  17. Do I have to have Netscaler to connect to StoreFront externally? One of my coworkers says that the Netscaler provides encryption but isn’t that what the SSL certificate is for? Whether the certificate is imported to the StoreFront server and/or the Netscaler.

    1. If there is NAT between the users and VDAs, then yes, you need Gateway.

      There are two connections: HTTP and ICA. HTTP is easy. ICA requires Gateway.

  18. Hello Carl, and everyone else.

    We recently installed StoreFront 3.6 next to our StoreFront 2.6.

    One thing we are noticing, is that sometimes users can’t fill in the Username input field.
    Clicking in the Password field, and then pressing shift-tab allows you to type in the Username field.

    At first I though the input cursor simply wasn’t showing, but you really can’t type in the field.

    Is this a known thing perhaps? Can’t find it myself when searching for it (assuming I’m searching correctly).

  19. Hi Carl,
    I have a SF 3.6 front end delivering both xenapp 6.5 and 7.6 apps. My pilot group is on receiver 4.4x and I’m trying to disable session sharing (multiple app sessions from different devices). I have not been able to get this to work in 7.6 with this command > Set-BrokerAppEntitlementPolicyRule Test76 -SessionReconnection SameEndpointOnly.

    Also, how can I do this for 6.5 apps through Storefront?
    Any ideas?
    thanks,
    -Zach

        1. To fix the (disable roaming) issue I ran this via powershell on both of our delivery controllers.

          asnp citrix*
          Set-BrokerAppEntitlementPolicyRule “Delivery Group Name” -SessionReconnection SameEndpointOnly

  20. hi carl,
    I have upgraded my xendesktop from 7.1 to 7.9, and storefront to 3.6,
    since then the storefront session timeout was reset, we get logged off after +- 20 minutes,
    this was previously a setting in the web.config file, this entry is still there after the upgrade and set to 8 hours, now it can also be configured in the gui, there it was set to 4 hours, but we are kicked after <20 minutes, changing it in the gui to 8 hours and replicating config has no effect, session timeout is still <20 minutes, also when changing it to a lower value in the gui, it does not change the setting in the web.config file, so it seems this is stored now somewhere else.
    my storefront is still in classic mode enabled, is it possibe the gui settings only apply when classic mode is disabled ?
    do you have a suggestion where to find the effective value and how to change it ?
    thanks ! igor L.

  21. Thanks Carl, worked just fine.
    Is there a way to find out what users connected to a specific storefront Server?
    some sort of usage stats from specific storefront server.

  22. Carl, have you every ran into issues using a Netscaler VIP as a beacon? I have a client I have configured one-URL internal/external access to Storefront. My internal beacon is http://beacon.corp.company.com and is only resolvable internal. It resolves to a VIP I build on Netscaler listening on port 80. The backend servers for that VIP are the storefront servers, using port 81 (since I am also using Netscaler SSL-Offload for Storefront). I am also using a 302 redirect on IIS for Storefront to go to the main store (https://myapps.company.com/Citrix/InternalWeb) I am having issues with receiver saying “could not contact internal” I am thinking about changing my backend services on the beacon VIP to point to the DDC’s running director (port 80). so the beacon is port 80 all the way through to see if it solves the issue. Not sure if the issue with with the 302 redirect or the change from http to https.

    -Peter

    1. Are you able to get a Fiddler trace while Receiver is enumerating beacons? Or maybe a network trace on the NetScalers?

      What do you see in the Receiver logs? I use Receiver Troubleshooter to capture a CDF trace. Then I use CDFControl to parse it.

      1. Carl, I actually got me answer here: https://www.youtube.com/watch?v=9eUQ7BzowuQ&feature=youtu.be 57 minutes in to the video there is a glorious explanation of Beacons and how they are used by receiver.

        So in my case: http://beacon.corp.company.com http://myapps.comapny.com = BAD! (will disrupt internal beaconing) (because I just used my backend SF servers on the beacon for HA.

        If I change the beacon to http://citrixdirector.corp.company.com http://citrixdirector.corp.company.com/Director = GOOD! (will not disrupt internal beaconing).

        The basic idea is that with beaconing, the URI of a website on the beacon CANNOT change, otherwise Receiver thinks you are behind a paywall, and basically receiver breaks w/ no error.

        So simply changing the beacon in SF to the Director VIP should work in storefront. I am going to try that today.

        1. Sorry some of this didn’t paste right into the comment section. having a 302 redirect to a different URI on an internal beacon breaks receiver basically.

  23. Hi Carl been reading your SF and Netscaler Gateway configuration documents to build my lab and I’ve been having some issues. I am using XD 7.6 and SF 3.6. I have 2 win10 VMs that are setup for PVS boot. Internally, (on the private network) I can login to my VM01 and get to my SF site and authenticate. I can stream my other VM (VM02) image with no problem.

    My problem is when I come through Netscaler GW. I have a Virtual server setup w/ a public IP and configured it based on your NSG config guide. I hit my SF site from the public internet and autheniticate just fine. I see my Windows 10 desktop and click to launch my ICA session. After the window opens that appears to be streaming my desktop I receive an error “The connection to “Windows 10 Users Group” failed with status. (There is no Citrix XenApp server configured on the specified address).

    I am not even using XenApp so I am not sure where it’s getting the error from. Any ideas what my problem could be? I’ve looked at my SF configuration, I’ve looked at the Netscaler config but nothing stands out. There are a couple things which are a bit strange like the “session policy web interface address” settings on the Virtual Server throws an HTTP 1.1 43531 error when using an FQDN (https://testlab.lab.com/Citrix/SFWeb). If however, the “session policy web interface address” setting is set to (https://IP address/Citrix/SFWeb) then it displays my resources (desktops/apps etc).

    I’ve ran out of ideas so decided to post to see if you had any clues. I saw your post here “http://discussions.citrix.com/topic/345082-there-is-no-citrix-xenapp-server-configured-on-the-specified-address/#entry1784820” which referenced the same error but was wondering if you could elaborate on the fix you mentioned “If StoreFront, you would need to deploy a NetScaler Gateway appliance to proxy the ICA traffic through one NAT’d IP address.”

    1. Are you trying to run the ICA connection through NetScaler Gateway?

      Is this problem in browser, Receiver, or both?

      Use http://support.citrix.com/article/CTX115304 to save the launch.ica file. Make sure there’s an SSLProxyHost entry. That means it’s using Gateway. If not, then there might be a DNS problem. StoreFront event viewer sometimes indicates if the connection is coming through Gateway or not.

      1. Hi Carl.

        I have the same problem. I access our XenApp 6.5 farm from the internet with the IE browser. The ica file doesn’t contain the SSLProxyHost entry and the address shows a private ip address from the XenApp server. any clue?

        Br. Ivo

          1. To proxy ICA through Gateway, in StoreFront, you need a Gateway set to HDX Routing. This causes StoreFront to replace internal IP with Gateway FQDN.

          2. when I set the Netscaler gateway to Authentication and hdx routing on the storefront server the access field says “Internal network only”. Is this right?
            I have set the Secure Ticket Authority servers to http://servername.domainname.org/scripts/ctxsta.dll
            Those are the same servers as I have defined in NetScaler Gateway -> Virtual Servers -> name -> published applications

            When I start a published application I get the message: App “Calculator can’t be started”
            On the storefront server i get errors in the event viewer beneath Citrix Delivery Services

            Event 1
            The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address http://servernamex.domainname.org/scripts/ctxsta.dll [CtxSTAProtocol.TRequestTicket]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.
            Event 2
            All the configured Secure Ticket Authorities failed to respond to this XML transaction: http://servername1.domainname.org/scripts/ctxsta.dll, http://servername2.domainname.org/scripts/ctxsta.dll.
            Event 3
            Failed to launch the resource ‘Controller.Calculator’, unable to obtain a ticket from the configured Secure Ticket Authorities.

            The xml brokers are running on my xenapp controllers on port 8080. I am not able to define any ports when I configure the Secure Ticket Authority server on the storefront serer store (netscaler gateway settings).
            Our should this always talk on port 433 https?

            BR. Ivo

  24. Carl,

    The screenshots don’t match the text starting from the section “Delivery Controllers – SSL”
    all the way down to “Receiver for Web Pass-through Authentication”

    Best regards,

    Ard

  25. Thanks Carl..I am facing an issue with additional Windows sign-in prompt even after authenticating to store front URL, when launching the application.. Do you know who to fix this issue??? I configured storefront and Citrix studio.

    1. Are you doing Single Sign-on to StoreFront? If so, you also need to configure Single Sign-on in Receiver?

      Or maybe you have RDP Prompt for Password enabled in a GPO somewhere.

      1. Thanks alot carl for your quick response. I found the root cause,

        Brief introduction to problem: I configured 2 delivery controllers, 2 store front servers and 1 xenapp 7.7 VDA (session host server (Server 2012 R2)). Created machine catalog and delivery group and installed applications, Published application using citrix studio. When launching the application, i am getting additional windows prompt.

        Solution: On xenapp 7.7 VDA (session host server). Earlier, I did not configured the role – Remote Desktop Services on that server. Now, I configured Remote Desktop Services Configuration for server 2012 R2. Click on Remote Desktop Services and clicked on Session collection and changed the security settings to Security Layer: RDP Security Layer; Encryption Level: Low and Unchecked “Allow Connections only from Computers running Remote Desktop with network level authentication”. That solved the problem.

        P.S: Click on the article below to navigate to RDS Basic configuration (Go to iv (a))
        Article: http://social.technet.microsoft.com/wiki/contents/articles/20684.management-how-to-changes-for-rds-in-windows-server-2012-and-2012r2.aspx

  26. Carl, at the configuration stage, you mention the command Set-ExecutionMode RemoteSigned
    This should be Set-ExecutionPolicy RemoteSigned

  27. All, Is there any way that I can hide all “Apps” under Application tab, and only want “Featured App Group” to display.

    Thank you,

    Vinh Le

      1. Thanks Carl, I finally figured out what the issue was. The Web.Config was not replicated so I manually did it.

  28. Carl I noticed this with 3.5. I create the first store and Receiver for website. I then create the second store and receiver for website. I logoff the server and logon and then the second receiver for website is now located under the first store. Have you seen this?

  29. Just a hint for any that are trying an in place upgrade from 3.x to 3.5 as I have…. Post upgrade I couldn’t launch any apps. couldn’t find any hints on line but digging through the console I found that I had to set up site aggregation, as we have multiple Citrix farms…… this is a new option under the ‘Manage Delivery Controllers’ window.

      1. This is now disabled by default and you have to set them by going into “Manage Receiver for Web Sites” and then under “Workspace Control” there is 2 check boxes for the Reconnect button and Disconnect button. Once on at the main Storefront windows where your username is the drop down menu will now have the 2 options.

  30. I installed 3.5 also, but found thee “bugs”.

    But I mis something on the front page of StoreFront.
    I enable Workspace Control.
    But on the StoreFront page, when I log on, there’s (as example) no reconnect button.
    Do you missing that also?

    And I enable account-selfservice.
    I have to fill in my domain\username. That’s not ideal for users to fill in our domein name.

    And last one.
    I configured Storefront te communicate with XA65 controllers/xml brokers.
    But I can’t log in. I get a message: Could not load error message when I start a Desktop.

Leave a Reply