StoreFront 2203 LTSR CU2 through 3.5 – Basic Configuration

Last Modified: Jan 30, 2023 @ 9:48 am


This article applies to StoreFront versions 2203 LTSR CU2, 1912 LTSR CU6, 1909, 3.16, 3.12.9000, and all other versions 3.5 and newer.

💡 = Recently Updated

Change Log

StoreFront Versions

The most recent StoreFront release is version 2203 LTSR CU2 (

  • Starting with version 1811, the version numbering changed to a YYMM (year/month) format.
  • Versions 2203 and 1912 are Long Term Service Releases (LTSR).

The user interface in StoreFront 1811 and newer is now the “purple” interface, which is different from versions 3.16 and older. Be aware of this change before you upgrade StoreFront. Customizations might not work in the new interface. There doesn’t appear to be any way to revert to the older user interface.

Download one of the following versions of StoreFront. For LTSR versions of Citrix Virtual Apps and Desktops (CVAD), deploy the StoreFront that comes with your version of LSTR CVAD.

StoreFront Installation / Upgrade

For small environments, it might be OK to install StoreFront on the Delivery Controller machines. But usually StoreFront and Delivery Controllers are separate machines.

  • If StoreFront will pull icons from multiple Citrix Virtual Apps and Desktops sites/farms, then StoreFront should be installed on its own machines.

To automate the installation of StoreFront, see Dennis Span Citrix StoreFront unattended installation with PowerShell.

The user interface in StoreFront 1811 and newer is now the “purple” interface, which is different from versions 3.16 and older. Be aware of this change before you upgrade StoreFront. There doesn’t appear to be any way to revert to the older user interface.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB RAM.

  1. If upgrading, do the following before beginning the upgrade:
    1. Other Users – Use Task Manager > Users tab to logoff any other user currently logged into the machine.
    2. Export the StoreFront configuration so you can restore it if something goes wrong.
    3. Stop the World Wide Web Publishing Service.
    4. Stop all StoreFront services.
    5. Close all PowerShell and StoreFront consoles.
    6. Citrix CTX226419 StoreFront upgrade fails to keep the setting in default ICA file. Take a backup of default.ica and usernamepassword.tfrm from C:\inetpub\wwwroot\Citrix\StoreName\App_Data. After upgrading StoreFront, replace the new default.ica and usernamepassword.tfrm with the old default.ica and usernamepassword.tfrm files to ensure you retain the old settings.
    7. If Microsoft SCOM Agent is installed, then stop the Microsoft Monitoring Agent service.
    8. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix StoreFront 3.5
  2. Operating system support:
    • StoreFront 2203 and StoreFront 1912 CU4 and newer are supported on Windows Server 2022.
    • StoreFront 2203 is not supported on Windows Server 2012 R2.
    • StoreFront 1912 and newer are supported on Windows Server 2019.
  3. Run CitrixStoreFront-x64.exe from the CVAD LTSR ISO at /x64/StoreFront. Or download it separately.
  4. In the License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Review prerequisites page, click Next.
  6. In the Ready to install page, click Install.
  7. In the Successfully installed StoreFront page, click Finish.
  8. Click Yes if prompted to reboot.
  9. See CTX399424 Gateway Callback and / or XML Communication fails after upgrade to Storefront 2203 for a workaround. The fix is included in StoreFront 2203 LTSR CU1 and newer.
  10. If you upgraded a StoreFront server that was connected to Citrix Federated Authentication Service (FAS), then also upgrade Citrix Federated Authentication Service.

If this is a new install, skip to the Initial Configuration.

If you upgraded from StoreFront 2.6 or older, then do the following to enable the Receiver X1 theme:

  1. In the StoreFront Console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page select Disable classic experience. Note: this page is no longer available in StoreFront 1903 and newer.
  5. Once classic experience is disabled, you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done.

  6. Go to Stores. In the middle, right-click your Store, and click Configure Unified Experience.
  7. Check the box next to Set the unified Receiver experience as the default for this store, and click OK.
  8. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

If you are upgrading from StoreFront 3.8 or older, then do the following to add SAML Authentication as an option. This feature lets you perform SAML against StoreFront without needing Citrix Gateway. If you did a fresh deployment of 3.9 or newer, then SAML is already added.

  1. Right-click your Store, and click Manage Authentication Methods.
  2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
  3. Check the box next to SAML Authentication, and click OK.
  4. If you don’t want to configure SAML at this time, then uncheck the authentication method. See the Federated Authentication Service article for SAML details.

Initial Configuration

In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to create the stores.

You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.

If this is a new deployment of StoreFront, do the following to perform the initial configuration:

  1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.
  2. The management console should launch automatically. If not, launch Citrix StoreFront from the Start Menu.
  3. In the middle, click Create a new deployment.
  4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the Hostname should already be filled in. For now, you can leave it set to the server’s name and then change it later once you set up SSL and load balancing. Click Next.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. The name entered here is part of the URL path (e.g. /Citrix/CorpStoreWeb)
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the Citrix Virtual Apps and Desktops (CVAD). This name does not need to match the actual farm name.
  10. Add the two Delivery Controllers. Change the Transport Type to HTTP. Click OK. You can set it to HTTPS is you have valid certificates (trusted by StoreFront) installed on your Delivery Controllers.
  11. If you have multiple Citrix Virtual Apps and Desktops sites/farms, feel free to add them now. You can also add older XenApp 6.5 farms. Click Next when done.
  12. In the Remote Access page, don’t check the box. Just click Next. You can set this up later.
  13. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from Citrix Gateway. Click Next.
    Note: if you want Domain pass-through authentication for browser users, you also need to enable it for Receiver for Web as detailed later in this article.

  14. In the XenApp Services URL page, click Create.
  15. In the Summary page, click Finish.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail.

  1. Install StoreFront on the second server.
  2. Create/Import an SSL certificate and bind it to the Default Web Site.
  3. Login to the first StoreFront server. In the StoreFront management console, right-click Server Group and click Add Server.
  4. Copy the Authorization code.
    Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.

  5. Login to the second StoreFront server and launch the management console. In the middle, click Join existing server group.
  6. In the Join Server Group page, enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join.
  7. Then click OK.
  8. Go back to the first server. Click OK.
  9. Notice this message. It is good advice.
  10. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. You do that by right-clicking Server Group, and clicking Propagate Changes.
  11. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Customer Experience Improvement Program

StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.

See for additional places where CEIP is enabled.

Citrix Analytics

StoreFront 1906 and newer supports uploading data to Citrix Analytics.

The client devices must be running Workspace app 1903 and newer.

See Enable Analytics on Virtual Apps and Desktops on-premises at Citrix Docs.

Store Name – Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.

Note: Some at Citrix Discussions (A protocol error occurred while communicating with the Authentication Service) have reported authentication issues after following this procedure. It’s probably cleaner to uninstall StoreFront and reinstall it.

  1. In the StoreFront console, on the left, click Stores.
  2. Right-click your store, and click Remove Store.
  3. Click Yes.
  4. On the left, right-click Stores, and click Create Store.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. The name entered here is part of the URL path (e.g. /Citrix/CorpStoreWeb).
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the Citrix Virtual Apps and Desktops farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop or Citrix Virtual Apps and Desktops.
  11. Add the two Delivery Controllers.
  12. Change the Transport Type to HTTP. Click OK. You can leave it set to HTTPS (recommended) if you have valid certificates (trusted by StoreFront) on your Delivery Controllers.
  13. If you have multiple Citrix Virtual Apps and Desktops farms, feel free to add them now. You can also add older XenApp farms. Or later, you can add farms in Store > Manage Delivery Controllers. Click Next when done.
  14. In the Remote Access page, don’t check the box and click Next. You can set this up later.
  15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from Citrix Gateway. Click Next.
  16. In the XenApp Services URL page, click Create.
  17. In the Created Successfully page, click Finish.

SSL Certificate

StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates on the StoreFront servers or your load balancer. There are two options for StoreFront SSL.

  • SSL Offload: Use Citrix ADC to do SSL Offload and load balancing. In this scenario, install the SSL certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. The SSL certificate on the Citrix ADC must match the DNS name that resolves to the load balancing VIP.
  • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind it to IIS. This allows you to use SSL protocol between the load balancer and the StoreFront servers.

If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP.

For load balancers that can terminate SSL (e.g., Citrix ADC), the StoreFront IIS server certificate should match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers. Or a wildcard certificate could match all of these names.

In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match for every email domain. Usually, the only option to match multiple email domains is with Subject Alternative Names. If you have multiple email suffixes, then you will need multiple Subject Alternative Names, each beginning with discoverReceiver. If you don’t plan on implementing email-based discovery, then you don’t have to worry about these discoverReceiver Subject Alternative Names.

If the certificate does not match, then users will see this message when attempting to use email discovery in Citrix Workspace app.

When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the same as the Load Balancing FQDN. The remaining Subject Alternative Names should be for every email domain.

When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name to verify that all names are listed including the DNS name that resolves to the load balancing VIP.

There are several methods of creating a certificate for StoreFront.

  • If you are implementing Single FQDN for internal and external users, then the certificate for external Citrix Gateway can also be used for internal StoreFront.
    • Single FQDN has additional Subject Alternative Name certificate requirements, including Internal Beacon FQDN and Callback FQDN.
  • If you will support non-domain-joined machines (e.g., iPads, thin clients) connecting to your internal StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You can use IIS to request the certificate. You can then export the certificate from IIS and import it to Citrix ADC (for Load Balancing and Citrix Gateway). Public Certificate Authorities (e.g., GoDaddy, Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.

  • If all internal machines are domain-joined, then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify Subject Alternative Names.

Once the certificate is created or imported, bind it to IIS:

  1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
  2. Click Add.
  3. Change the Type to https and select the SSL certificate. Do NOT put anything in the Host name field. Click OK, and then click Close.

Delivery Controllers – SSL

Delivery Controllers can be SSL enabled by using one of two methods:

Once SSL certificates are installed on the Delivery Controller servers, then you can configure the StoreFront Store to use SSL when communicating with the Delivery Controllers.

  1. In the StoreFront Console, on the left click Stores.
  2. In the middle, right-click your store, and click Manage Delivery Controllers.
  3. Highlight the deployment and click Edit.
  4. The Servers list must contain FQDNs that match the certificates installed on those Delivery Controller servers.
  5. Change the Transport type to HTTPS.
  6. Click OK twice.
  7. See CTX399424 Gateway Callback and / or XML Communication fails after upgrade to Storefront 2203 for a workaround. The fix is included in StoreFront 2203.1.

Base URL – Change

  1. Configure load balancing of the StoreFront servers, including SSL certificate.
  2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  3. Enter the StoreFront Load Balancing FQDN as the new Base URL in format.
    1. Receiver requires that the Base URL is https. It won’t accept http.
    2. If you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the Single FQDN instructions.
  4. Click OK.

If the Base URL is https, but you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to do the following:

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click OK, and then click Close.

Default Web Page

After changing the Base URL, you’ll need to update the IIS Default Website.

  1. On the left, right-click Stores, and click Set Default Website.
  2. Check the box next to Set a Receiver for Web site as the default page in IIS and click OK.
  3. Click Yes to overwrite.
  4. If you go to C:\inetpub\wwwroot and edit the file web.config, you’ll see the redirect.

Authentication Configuration

  1. In the Citrix StoreFront console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Authentication Methods.
  3. Check the boxes next to Domain pass-through and Pass-through from Citrix Gateway.
  4. If you intend to enable pass-through authentication from Receiver Self-Service (native Workspace app) or from Receiver for Web (web browser), then in Web Studio (CVAD 2212 and newer), go to Settings and Enable XML trust.

    • Or go to a Delivery Controller and run the command
      Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. You might have to run asnp citrix.* first.
  5. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs.
    • StoreFront 3.6 and newer can be workgroup members without joining a domain.
  6. Click the top gear icon, and then click Configure Trusted Domains.
  7. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from Citrix Gateway.
  8. Select one of the domains as the default.
  9. If desired, check the box next to Show domains list in logon page. Click OK.
  10. Click the top gear icon, and then click Manage Password Options.
  11. Make your selection, and click OK.
  12. Be careful with password changes. Any time somebody changes their password through StoreFront, a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to periodically delete these local profiles.
  13. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.
  14. If you have Citrix Virtual Apps and Desktops and installed Self-Service Password Reset, you can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. This option is only available if your Base URL is https (encrypted). See the following for detailed implementation guides.
  15. Change the selection to Citrix SSPR, and click Configure.
  16. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). Click OK three times.
  17. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
  18. The logon page also has an Account Self-Service link.

Unified Receiver Experience (StoreFront 1811 and older)

If you did a clean install of StoreFront 3.5 through StoreFront 1811, then the newer UI will already be enabled, but Unified Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic UI to enable the newer UI.

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page (only visible in StoreFront 1811 and older), select Disable classic experience. Click OK, and click Close.
  5. On the left, click Stores. In the middle, right-click your store, and click Configure Unified Experience.
  6. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

Customize Receiver Appearance

If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Additional customization can be performed using the SDK.

You can also Manage Featured App Groups.

In StoreFront 1811 and newer, Featured App Groups are shown in the user interface as Collections.

  • The HOME page shows the Feature App Groups in a ribbon with arrows to let the user see more Featured App Groups. The ribbon view is limited to three icons per Featured App Group. When the user clicks a Featured App Group, every icon in the Featured App Groups is shown.
  • The APPS page has a Collections tab showing all collections and the number of icons in each Collection.
  • When the user clicks a collection, all icons in the collection are shown. The user can click Add All on the top right to mark all of the icons as Favorites.

To create Featured App Groups:

  1. Go to Stores > myStore > Manage Receiver for Web Sites > Configure.
  2. In the Edit Receiver for Web site window, on the Featured App Groups page, click Create.
  3. Give the Collection a name and a description.
  4. At the bottom, there are three methods of adding icons to the Feature App Group.
  5. If you select the Keyword option, then enter a keyword that will be added to the published apps that are in this collection.
  6. In Citrix Studio, go to the Properties of a published application. In the Description field, at the end, enter KEYWORDS:myCollectionKeyword.

In StoreFront older than version 1811:

  • Featured App Groups are displayed at the top of the Apps > All page.
  • By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group.
  • Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.
  • If you want to display more than 3 apps per group, see Michael Bednarek at Modify Receiver for Web site at Citrix Discussions.

Receiver for Web (browser) Pass-through Authentication

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click OK.
  5. If the StoreFront URL is in the browser’s Local Intranet zone, then you’ll see a prompt to automatically Log On. This only appears once.
  6. If you want to default to Pass-through without any user prompt, then see Citrix Blog Post Configuring domain pass-through as your default authentication method.

Workspace app for HTML5 2301

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver / Workspace app page, change the drop-down to Use Receiver for HTML5 if local Citrix Receiver/Workspace is unavailable.
  5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at Citrix Docs for more information.
  6. Click OK, and then click Close.
  7. Download the Workspace app 2301 for HTML5 (version
    Note: new versions of Workspace app for HTML5 are released frequently. For example, 2108.2 and newer support webcams and cameras. 2109 and newer support copy/paste of images, battery status indicator, and Windows key on keyboard.

  8. Install the HTML5 Workspace app (CitrixHTML5Client-x64.exe) on one of the StoreFront servers. It installs without prompting. Repeat this step on all StoreFront servers in the Server Group since Propagate Changes doesn’t seem to propagate the new Workspace App.

  9. To see the installed version of HTML5 Workspace app, in StoreFront console, click the Stores node on the left.
  10. In the middle pane, in the bottom half, switch to the Receiver for Web Sites tab. You might have to click Refresh to see the new version.

HTML5 Workspace app configuration

  1. Copy/paste of text using Ctrl+C and Ctrl+V – HTML5 Workspace app version 1907 app adds support for copy/paste of text using Ctrl+C and Ctrl+V and the feature is enabled by default. More info at Enhanced clipboard experience at Citrix Docs.
  2. Multi-monitor – HTML5 Workspace app has a multi-monitor feature, which is enabled by default.
  3. To configure HTML5 Workspace app, edit the file “C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js”.

    1. Customer Experience Improvement Program (CEIP) is enabled by default. To disable CEIP in HTML5 Workspace App 1906 and newer, find the first analytics section and change enabled to false.
    2. To disable CEIP in HTML5 Workspace App 1905 and older, search for the ceip section, and change it to false.
  4. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  5. For VDA 7.15 and older, optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Workspace app download page.
    Note: in VDA 7.16 and newer, the PDF Printer is included with the VDA installation and no longer needs to be installed separately.

Other HTML5 Receiver configurations you can change by either editing C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js, or use the Citrix Workspace app (earlier known as Citrix Receiver) for Chrome and HTML5 – Configuration Utility downloadable from CTX229141.

  • HTML5 Workspace app has improved PDF printing in Chrome and Firefox. Enable it by setting supportedBrowsers to true.
  • When printing from HTML5 Workspace app to the Citrix PDF Printer, the user must click Continue to show the PDF. You can get rid of this prompt. In the configuration.js file, scroll down to the line containing printDialog and set it to true.

  • The new HTML5 Workspace app toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.


If HTML5 Workspace app is enabled, users have the option of selecting either native or HTML5 by clicking Change Citrix Receiver or Change Citrix Workspace app.

  1. In StoreFront 1912 or StoreFront 2203, click the gear icon on the top right and then click Account Settings.
  2. Click either Change Citrix Workspace app or Change Citrix Receiver..

  3. If you want to use the locally installed Workspace app, then click the blue Detect Citrix Workspace app or blue Detect Receiver button. If you want to use the HTML5 Client, click Use light version.


Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • How to view HTML5Client log file

Deploy Citrix Workspace app

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver/ Workspace app page, check the box next to Allow users to download HDX engine (plug in).
  5. Change both source drop-downs to Local files on the StoreFront server.

    1. For Windows, download one of the following:
    2. For Mac, download Workspace app 2301 for Mac or Workspace app 2301 for Mac with Apple Silicon.

    3. Click each of the Browse buttons and browse to the downloaded Workspace app.
    4. You can optionally enable Upgrade plug-in at logon.
    5. Click OK when done, and Close when done.
  6. If you prefer for users to download Workspace app from the Citrix website, then note that StoreFront might default to downloading Receiver instead of Workspace app. To change it to Workspace app, do the following:
    1. In StoreFront Console, in the Deploy Citrix Receiver/ Workspace app page, change Windows source and Mac source to Files on remote server (through URL).
    2. Enter the following paths. The default paths might be http instead of https and you should change them to https.
      Windows Receiver =
      Mac Receiver =
  7. When users connect to Receiver for Web, they will be prompted to install or upgrade. In StoreFront 2203, the screens say Workspace app.
  8. In older versions of StoreFront, the screens might say Citrix Receiver instead of Citrix Workspace app.

  9. You can change it to Citrix Workspace app by following the instructions at CTX221097 How to rename items on StoreFront?.

    • Search the list of strings in the KB article for any string containing the word Receiver, copy the string to C:\inetpub\wwwroot\Citrix\StoreWeb\custom\strings.en.js, and change it to Workspace app. A few of the strings are shown below. Make sure there are commas between each item except the last item.
  10. If you don’t want StoreFront to detect the locally installed Workspace app, then switch to the Advanced Settings page and uncheck the box next to Enable protocol handler. This disables

Receiver for Web Timeout

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Session Settings page, set the Session timeout as desired, and click OK.
  5. If you are using a Citrix ADC, you will need to change the Global Session Timeout located at Citrix Gateway => Global Settings => Change Global Settings (right pane) => Client Experience (tab) => Session Time-out (mins).

  6. From Change the session time-out of Citrix Receiver for Web at Citrix Docs: If you increase the session timeout for RfWeb to be more than 1 hour, you must also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
  7. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.

Favorites, Categories, and Default Tab

By default, when a user logs into StoreFront, the HOME tab or Favorites tab is selected. Users can go to other tabs to add icons to the list of Favorites.

In StoreFront 1811 and newer:

  • Favorites are shown on the HOME tab.
  • Favorites are also shown on the APPS view on the Favorites tab.
  • The user can click the star icon next to a published icon to mark that published icon as a Favorite and add it to the HOME view and Favorites tab.
  • On the APPS view, the user can expand the Categories drop-down and select a Category to view all icons in that Category.

    • StoreFront 1912 CU2 and newer has an option to collapse the categories after one is selected. Notice the Uncategorized folder.
    • After clicking a category, the user must click Categories again to switch to a different category.
    • StoreFront 1912 CU5 and StoreFront 2203 have an option to show Uncategorized icons directly below the Categories list if no Category is selected by the user.
    • This feature is configured in StoreFront console > click your store > Manage Receiver for Web sites > Configure > Category Settings. 1912 CU5 and 2203 adds the checkbox option to Move uncategorized apps into an Uncategorized folder. It’s checked by default, but you can uncheck it.
  • Categories are configured in the Properties of the published application on the Delivery page.
  • Collections are configured as Featured App Groups.

In StoreFront older than 1811:

  • There’s a FAVORITES view.
  • On the APPS or DESKTOPS views, the user can click the Details link next to a published icon.
  • Then the user can click Add to Favorites to add the icon to the FAVORITES view.

Favorites can be controlled by the administrator:

  • You can completely remove the FAVORITES or HOME views by going to Stores > myStore > Configure Store Settings > User Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

  • To force a published application to be favorited (subscribed), use one of the following keywords in the published application description:
    • KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
    • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite.
    • With Mandatory applications there is no option to remove the application from Favorites.
  • Citrix Blog Post How to implement dynamic landing pages in StoreFront has code for the following: If favorites exist, go to favorites tab. If favorites do not exist, go to the store tab. 💡
    //If favorites exist, go to favorites tab. If favorites do not exist, go to the store tab.
    var favoritesExist = false;
    CTXS.Extensions.sortMyAppList = function (app_array,defaultSortFn) {
    //This version checks if the amount of user favorites are greater than or equal
    //to "favoriteThreshold".
      var favoriteThreshold = 1;
      var favoriteCount = 0;
      for (var i = 0; i < app_array.length; i++){ if (app_array[i].canBeRemoved()){ favoriteCount++; } } if (favoriteCount >= favoriteThreshold){
        favoritesExist = true;
      //This should always be called at the end
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
      if (favoritesExist == false){
  • Trentent Tye has a simple customization for C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js to default to the APPS view if the user doesn’t have any favorites. See Citrix Storefront – Adventures in customization – Default to “Store” view if you have no favourited app’s.
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
     /* If the user has no favorited apps, set the view to the apps view */
     if (CTXS.Store.getMyApps().length == 0) {
  • You can change the default view and view visibility by going to the Stores > myStore > Manage Receiver for Web Sites > Configure > Client Interface Settings page.
  • In StoreFront 1811 and newer, if you want to default to the APPS tab with Categories view expanded, then see CTP Sam Jacobs at Storefront 1811 – Default to Categories view at Citrix Discussions. Or see Citrix Blog Post How to land on the categories view in StoreFront 1811+.

    • Add the following to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js.
      Note: if you already have afterDisplayHomeScreen in your script.js file, then you’ll need to merge them.
      function categoriesDelay() {
      CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
  • In StoreFront older than version 1811, if you change the default view to APPS, then you might also want to default to the Categories view instead of the All view.

    • When publishing applications in Citrix Studio, on the Delivery page, specify an Application category so the applications are organized into folders.
    • To default the Apps view to the Categories view instead of the All view, add the following code to the end of the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at Storefront 3.0 – change default view at Citrix Discussions.
      CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
      CTXS.Extensions.onViewChange = function (viewName) {
        if (viewName == 'store') {
          window.setTimeout(function () {
          }, 0);

    • Then when you login to StoreFront, you’ll see Apps > Categories as the default view. This works in Workspace app too.


  1. On the left, right-click Stores, and click Manage Beacons.
  2. Configure an Internal Beacon. Receiver Self-Service (Workspace app native interface) tries to connect to the Internal Beacon to determine if Workspace app is currently internal or not. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to Citrix Gateway. For this to work properly, the Internal Beacon must not be resolvable externally.
    If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally.
    If you are doing Single FQDN, then you can’t use the StoreFront FQDN. Instead, you must use a different internal website for the beacon. If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP, thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any internal website.
    If you want to force internal Receiver Self-Service users to connect through Citrix Gateway (for AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is never resolvable, Receiver Self-Service always uses Citrix Gateway. Or you can use Optimal Gateway to achieve the same goal.
  3. The External beacons are used by Workspace app to determine if Workspace app has Internet access or not. You can use any reliable Internet DNS name. is no longer valid and should be changed to some other address. Click OK when done.

Propagate Changes

Any time you make a change on one StoreFront server, you must propagate the changes to the other StoreFront server.

  1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  2. You might see a message saying that you made changes on the wrong server.
  3. Click Yes when asked to propagate changes.
  4. Click OK when done.
  5. When you propagate changes, the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Export/Import StoreFront Configuration

Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group:

  • Export-STFConfiguration
  • Import-STFConfiguration

See Export and import the StoreFront configuration at Citrix Docs for details.

Logon Simulator

ControlUp has ScoutBees logon simulator for StoreFront and Citrix Gateway.

eG Innovations has a free Logon Simulator for Citrix XenApp and XenDesktop.

Related Pages

346 thoughts on “StoreFront 2203 LTSR CU2 through 3.5 – Basic Configuration”

    1. Older versions of StoreFront did not support Loopback, which means that inter-process communication (on the same server, or different servers) went through the VIP. Need to keep that traffic local. If you enabled loopback (enabled by default), then it shouldn’t be needed. However, it’s useful for troubleshooting.

  1. We are facing the update of our Storefront Servers. The actual ones are running on W2K8r2. My plan was to deploy two new servers that are running W2K16, install the same storefront version as on the 2008 servers, join them to the farm, sync and remove the W2K8r2 servers after a successfull sync.
    Now the point that lets me doubt a little: The official Citrix Doc says, Storefront Servers with different OS in one group are not supported. Are they not supported in case of failure so i can’t do the migration this way or is it OK for the time of migration?

    1. I don’t know their official support stance on migrations.

      You could build new servers in a new server group and swap them out at the load balancer.

      1. Thanks for the quick reply Carl.
        The Offical stance is here So i guess i have to Export the configuration from the current Group, install the new Servers and Import the configuration and then swap the old Servers out at the LB? At least this is what is written herer at the bottom of the page

  2. Hi Carl,

    Just to complete your great work. I also have a 1603 error during an upgrade because performance counters were corrupted.

    Exception occurred installing feature package ‘C:\Program Files\Citrix\Receiver StoreFront\FeaturePackages\’. System.InvalidOperationException: The installation failed, and the rollback has been performed. —> System.InvalidOperationException: Cannot load Counter Name data because an invalid index ” was read from the registry.

    The lodctr /R command repair the counter and after everything was OK.



  3. I can’t find any proper documentation with the steps needed for upgrading from SF 3.5 to 3.12 when you have multiple servers in a group. Citrix documenation ( talks about upgrading (more like migrating) from 3.0.x and below, which seems to be basically starting over fresh with the store(s). Even this page doesn’t seem to properly cover an upgrade.

    I tried running 3.12 install on our 3 servers that are in a group and the store seemed to be hosed even though it was able to propagate without issue.

    I tried pulling 2 servers from the group, running the install on the server left in the group. I then uninstall SF, install 3.12, join to group the other 2 servers and they join successfully, but will not propagate successfully.

    So what is the proper process to upgrade from 3.5, or whatever version above 3.0.x, when you have multiple servers in a group?

    1. I disabled the storefronts from receiving logins ( from the netscaker). I read that if you are still accepting connections and someone does connect while upgrading that’ll hose things

  4. Hi Carl,

    Can you please confirm for me if I can upgrade my StoreFront servers independently from my XenDesktop version i.e. upgrade to SF 3.12 whilst still running XD 7.8? I am reluctant to upgrade to XD 7.15 just now given how fresh it still is.


    1. Yes, StoreFront is independent of XenDesktop.

      7.15 is a service pack for 7.14. So it’s not that new.

      7.8 is a “Current Release”. You should have been upgrading it twice a year. If you’re not willing to do that, then upgrade to 7.15 LTSR, and stay on 7.15 (don’t upgrade to 7.16). There will be Cumulative Updates for 7.15, which should also be deployed twice a year.

  5. I had store front 3.9 in my ENV when i am trying to deploy the Citrix receiver Locally.It is not working .

    I made the changes as suggested in the Blog and created the Folders for Windows & Mac.

    1. What exactly is not working? It’s not offering Receiver to machines that don’t have Receiver installed? It’s not offering to upgrade Receiver? What browser are you trying this with?

        1. You might have to upgrade StoreFront to support newer browsers. When Chrome connects, there should be a blue button to Detect Receiver. If fails, it should give you the Receiver download. I’ve seen load balancer interfere with this process, especially when mixing HTTP and HTTPS content.

  6. Hello Carl,

    I have deployed XA7.15 LTSR in my environment with Storefront 3.12. We have parent and child domain topology in which the infrastructure server DDC, PVS, Storefront and VDAs are in Parent domain the users are logging in from Child domain. I have enabled Domain Pass through on Storefront and its not working, gives an error Cannot Start Desktop. If I do not use domain pass through and explicitly punch in credentials, the desktop launches without any issues. I ran the command – Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True on DDCs, and after running this command the desktop is launching as if through domain-pass through but it goes to the logon screen which is defaulting to parent domain, and I have to put in child domain credentials to get in to the desktop. Am I missing any step in configuring the domain pass through Or some setting on DDC for authentication ?

  7. Carl,

    setting up hosts file as per your advise below:

    StoreFront Load Balancing FQDN (e.g. = Load Balancing VIP in the local datacenter.
    NetScaler Gateway Callback FQDN (e.g. = NetScaler Gateway VIP in the local datacenter.

    NetScaler Gateway Callback FQDN (e.g. are you referring to callback required for smartaccess? which is setup under “Edit NS settings” on storefront. i am a bit confused.

    in my case i’ve added following in hosts file access.domain.local (Base URL) accesscb.domain.local (which is callback-URL vip required for smart access)

    in our setup everything is funneled via load balanced netscalers. pretty much Base URL is essentially we call it netscaler-storefront-vip and callbak-URL is netscaler-callbackurl-vip.

  8. hi Carl,

    i have a citrix setup with approx 150 users. do you recommend installing SF and the controller on separate machines? I don’t have any policies any aggreating of different sites. i feel better installing on different machines, but have no technical reason reason why I should as long as i give it enough ram\cpu..etc..ectc..

  9. HI Carl,
    I used the code in “default” tab” section to make Category view in App tab. It didn’t work.I even restarted IIS.
    went through the discussion link. Seems every confirms it is working
    I run SF 3.11 on Win2012. Is there anything I miss?

  10. Carl-
    In my store-front Authentication section, I’m not able to see the ‘HTTP Basic’ option. It shows only the below

    User name and password
    Domain pass-through
    Pass-through from Netscaler Gateway

    Advanced -> Install option only show ‘SAML’. How do I enable HTTP Basic authentication?

    Thanks in advance

  11. hey guys,
    i have a load balanced storefront pair running 3.6. i’m seeing conflicting reports about disabling the pair on the netscalers as well as removing one server out of the group before upgrading. DId you guys keep the servers in the server group before upgrading. I plan to disable both servers in the netscaler load balancer so no one can connect. Unsure about how to proceed with the server group and which one to upgrade first?

  12. Hi, I have a ‘potentially’ simple question….. 🙂 we have citrix farms in 2 domains (post a company merger) and i am trying to consolidate access on storefront. I have read you posts on ways to get external access via the netscaler to authenticate against both domains and we are testing that now (Thanks! 🙂 )
    So I am now looking internally for users who are accessing storefront directly, not through the netscaler. what I find is that although SSON allows them to automatically log in to the SF 3.8 server web site, it will only show them apps from the Citrix farms in their domain. if we use manual logon we can see apps from both domains.
    I know there were issues with multidomain and SSON in web interface. Is this just a restriction that cant be fixed? I don’t really want to have to make all users use manual authentication… apologies if this already covered anywhere, I have trawled the internet as usual and found nothing 🙁

      1. yes, and it fails in both directions, so if a user logs in with SSON in domain 1 they only see domain 1 apps and vice versa. but if users log on explicitly to either domain they see apps from both domains. Also affects Receiver retrieving apps for the start menu, which is a bigger problem for me as we could probably live with an explicit logon to the web site 🙁

          1. I hadn’t seen that one, a very interesting and indepth article 🙂
            We have separate forests with 2 way trusts. as we have not tried to combine the citrix farms at all there is no adding vda’s from one domain to a farm in the other – which is a releif! 🙂
            I think we have the config correct as far as the trusts etc, because when we use explicit logon everything is correct and we can see and launch apps and vda desktops from both sides – it’s just using SSON that things go wrong 🙁

  13. Hi,
    I have installed version 3.9 in work-group configuration. There are some differences from domain configuration .
    It is installed in a dual hop Netscaler (v11) configuration and is set up to use two factor authentication; first user logs on with rsa token and is directed to the storefront page which then prompts for AD credentials and logs the user on. This works great in a browser using the plugin, but when using Citrix receiver it does not. Reason is that i am able to deselect pass-through from Netscaler Gateway under Manage receiver for web. However that is not possible under the main store.
    Sure, it looks like it is, but after deselecting that option and refreshing the store it disables remote access and shows access to internal networks only.
    Citrix support said it is by design and forwarded me a link to their SDK. To me it looks like a bug.
    Has anyone seen this?
    Is there a workaround?



  14. Hi Carl,

    Could you suggest me on the following approach?

    I have 2 SF servers (v2.6) in a server group, they are running Server 2012 R2 with active user subscriptions. StoreFront is load balanced using NetScaler and most of the users access application through Citrix Receiver client using services site. Store is configured through GPO on the user machines.

    I want to upgrade the StoreFront to v3.9 without any user impact.

    1. Build 2 new SF servers running Windows server 2016 and SF version 2.6. As subscriptions from v2.6 is not compatible with v3.9 and powershell command lets for subscription export/import are different for these versions
    2. Export subscriptions from existing prod servers and import them to new server group. Verify if everything works
    3. If everything is working, upgrade the SF servers to version 3.9 with subscriptions
    4. Validate and add new servers to LB VIP if everything is working as expected
    5. Flip the load by disabling old servers and enabling new servers in the load balancer

    I will have a clear fallback plan if this doesn’t work. As i am retaining the base URL, store name and LB VIP, this change will be seam less for end users other than look and feel of new StoreFront.

    I dont see SF configuration export command for v2.6, do we have one so that I can use to export/import configurations while building new SF server group identical to prod servers.


    1. I think config export/import only came with 3.x.

      Also, will 2.6 install on 2016? You might have to upgrade to 3.x on your 2012 servers before you can add 2016 to the server group.

      Or, build a new 2016 server group with 3.9, export/import the subscriptions, then swap out on load balancer.

      Why do you think that subscriptions can’t be moved to a new StoreFront? Did your testing reveal that it doesn’t work?

      1. SF subscriptions export command is different in 2.6 and in newer versions. Export in 2.6 generates a csv file whereas the same in newer version is txt file. So i am not sure whether the csv file contents will be imported in the newer version.

        I am going to try importing subscriptions in 3.9 and update you on how it goes.

        1. I exported subscriptions from SF 2.6 server as txt file and imported them on new SF 3.9 server. Import went fine with few warnings, i also exported subscriptions from SF3.9 server to verify that all the contents are imported. File size from prod and new server are same.

          But I dont see favorites when i login to new SF Receiver for web site, it just has the mandatory subscriptions.

          I followed your blog for import/export, however i didn’t see the event ID 3 (Task 2901) in the SF event logs.

          We have aggregation configured in Prod SF server, but i didn’t have it configured on the SF3.9 test server. When i read the subscriptions.txt file, all the entries have AggregationGroup before the published icon name. Will this cause an issue with favorites?

          1. The farm names (Manage Delivery Controllers) or Aggregation Groups need to be the same. You can easily edit the .txt file to match your new farm/aggregation names.

          2. I was able to resolve the issue by configuring Aggregation group and changing the default aggregation group name to match my production one. Now I see all the subscribed icons in new SF3.9 server. Thanks.

  15. Carl,
    I have a customer who wants to have different timeout’s. A long timeout for internal users and a short (15 Min) timeout if coming across the NetScaler (external).

    I have a SF VIP on the NetScaler. They would like to have the external timeout not only log them out of the website but also close any open applications. Any suggestions on how to accomplish this?

    1. You might need separate Delivery Groups for internal vs external. Otherwise you run into the issue of how to handle reconnecting to an existing session.

      1. I was looking at the “Access Control” based policies, but didn’t consider if a user comes from external to internal they will have a shorter timeout on the reconnect.

        Does the NetScaler session timeout or Service timeout also close the App or is that only the session timer?

  16. Hi Carl,

    You say : The XenApp/XenDesktop 7.13 ISO comes with StoreFront 3.8 but in fact it comes with StoreFront 3.9.

    Keep up the good work !

  17. Hi Carl,

    At times we get the following error when launching our VDI on 7.12 “The connection to “Windows – 7 IMAGE” failed with status (unknown client error 1110) from IE (or chrome). This happens to different version of receiver, but if i try it from a different browser (chrome or from chome to IE) it connects or if i reboot my laptop or desktop i am able to connect with no issue. I have a ticket open with citrix just curious if you are aware of any configuration i should double check on storefront or the controller? This is new setup, so i’m not sure if i missed something during the configuration.

  18. Hi, Another question on SF 3.8 :).. What i have found is that if users manually authenticate to the web site then they are presented the options to change their password – as per my config. however if they use pass through authentication the change password option is not present. Is this a restriction of the system or is there something i am missing in the config?


    1. If doing pass-through auth, shouldn’t password changes be performed on the workstation instead of in StoreFront?

      1. A perfectly valid point 🙂 I am struggling now to remember the use case for this that was put forward! 🙂

    2. Hi Dave, yes this is a safety restriction of the system. If you are using Domain Pass-through authentication to StoreFront then your current password is cached on the end point where you logged into the domain, and if we let you change it via StoreFront you may hit an account lockout because the cached password copies on the end point running Receiver are now stale. (Whether and how quickly you would see account lockout depends on whether NTLM authentication is being attempted from the end point, when and how much, or whether you launch more things from Receiver. But with the defaults most customers use for lockout it is a significant risk.)

      You should change the password by instead typing Ctrl+Alt+Del; this will update the password cached by Receiver as well as that cached by the OS.

    1. You can configure GSLB for StoreFront URL, yes. PNAgent can use that URL. You’ll need persistence on the GSLB vServer. Citrix tells me that Cookie-based GSLB Service persistence (redirect or proxy) should work with regular Receiver, but I’m not sure about PNAgent. Or you can simply enable Source IP persistence on the GSLB vServer.

  19. Upgrading Storefront from 3.6 to 3.8 loses some configuration settings. I revert and try again after exporting and importing the config using the below scripts but same results. Remote access, trusted domains etc.. are gone.

    Export-STFConfiguration -targetFolder “$env:userprofile\desktop\” -zipFileName “backup” -NoEncryption
    Import-STFConfiguration -configurationZip “$env:userprofile\desktop\”

  20. Hi Carl,

    We are upgrading storefront 3.0 to 3.6 in our environment. Both store front servers are load balanced in Netscaler 10.5 safe harbor build 61.11. Please help how to remove store front servers from netscaler one by one to perform the upgrade activity on the store front servers. Any specific settings we need to take back up of in the netscaler as well.

    1. Service Group? If so, right-click the Service Group, and click Manage Members. You can disable individual servers from here.

      Or you can go to Traffic Manage > LB > Servers and disable the server from here.

  21. Hi Carl,
    Thanks for reply me.
    Can you please provide me GSLB documents to implement this.

    Ilyas Ahmed

  22. Hi Carl. thanks for providing the storefront documentation. I have a question about enabling domain pass through for SSO. Our college’s use thin clients to log on to their VDI (Citrix Xendesktop). The thin clients are configured to use Internet Explorer to access our webportal (storefront url). The thin clients are not domain joined. So, users must enter their credentials. I like to keep it that way. My goal is to accomplish the following. I want to publish some Xenapp applications in the users VDI using the same storefront store. Is enabling domain pass through on the store going to conflict with the thin clients (webportal – storefront url)? I do not want to enable SSO on the thin clients.

    1. If the FQDN is not added to IE’s Local Intranet zone on the thin clients, then there will be no attempt to perform SSON.

      Another option is to create another store so you can hide the published desktop icons.

      1. Creating another store and using your tip (other forum) on changing loopback communication to OnUsingHttp in Storefront did the trick. Thanks a lot Carl.

      2. Hi Carl,
        Can we install storefront server, like zone DDC at my remote location, to connect local Citrix users with the same URL which is in my primary zone storefront FQDN name.

        1. Sure. The tricky part is getting the DNS name to resolve to the local StoreFront instead of remote StoreFront. GSLB can help with that.

  23. Be aware that offloading SSL to the NetScaler StoreFront VIP and using HTTP to the StoreFront web servers will work, but Native Receiver on Mac and Windows will fail if coming through Unified Gateway unless end to end SSL is configured.

  24. HI Carl, I am trying to modify the Desktops to include a machine recycle option where a user can self service a new machine creation, have you tried that? or any suggestions?

        1. I’m not sure what you mean. Machine creation = create new machine? Recycle = reboot machine?

          You might be able to do something with the StoreFront SDK.

          1. Yes Machine creation = create new machine. Want users to have ability to spin up and delete a vm.

          2. There’s nothing built the product. You could write a PowerShell script with a self-service portal. Then maybe integrate that portal to StoreFront using the SDK. Or integrate StoreFront to your portal.

  25. Hello Carl,

    We have a new Citrix Deployment with XenApp 7.11 and Store Front 3.7. We have a requirement to disable TLS v1.0 on all servers. But we have observed that after disabling TLS v1.0 on storefront servers, Citrix Credential wallet service is not running as per the error on store front console. And users cannot login to Citrix. Do you know any fix for this ?


  26. Hi Carl,

    Could you please elaborate further on the beacons section for ipads:

    “If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL”

    I have iPads that connect internal, Storefront is setup as a GSLB URL on Netscaler as we have Storefront servers based in different locations, however the Storefront SSL Cert is a self-signed certificate, so I receive certificate trust issues when connecting Receiver internal on iPads as it is resolving to the internal beacon which is the Storefront LB service URL. Any suggestions?

    External connection is no problem as the AG URL has a trusted public cert.

    1. I typically purchase a public certificate for internal StoreFront so non-domain-joined devices (e.g iPad) will trust the cert.

      You can try an alternative internal beacon and see if it works. But last time I looked at a Receiver for iOS log, it wanted /Citrix/StoreWeb in the Beacon’s URL.

  27. Hi Carl.
    Hope you are doing good. My name is sriram and i am new to Citrix world. I have installed XenDestktop 7.9 which is my DDC and StoreFront Server in server A and my VDA 7.9 and Citrix receiver is installed in another server B. I added Store Front server, created delivery group and associated applications to delivery group. I also created machine catalog and registered my server B which is running VDA on it. Now when i launch citrix receiver in Server B, it says can not connect to target DDC. When i try launching the Citrix WebStore url through chrome browser,i can see Apps i published. But when i access Apps, i get “Can not Start App” error. In the Store Front Server A Event Viewer log, i see “The Citrix servers do not trust the server. This message was reported from the XML Service at address [NFuseProtocol.TRequestAddress]. “.

    I followed this storefront 3.6 configuration again and configured https with out ssl certificate to deliver applications. Base URL is https, but I don’t have certificates installed on the StoreFront servers and enabled loopback communication to Onusinghttp. I can see Apps from my VDA machine server B but i cannot launch any apps that i added manually in my storefront server my pointing to their executables from the path. I tried troubleshooting for oneweek. I can not get the answer. Am i missing something here? Can you please guide”?
    Should i install self-signed certificate in my DDC server A and bind it to default website and copy the same certificate to my VDA or endpoint device as well for both of them to communicate in https to access apps from DDC?

    Please advise.

      1. Hello Carl,
        I removed pass-through authentication and i am just using username and password authentication method using domain users.
        Now when i access the native calculator app published from storefront server, i get the following in EventVwr.log:

        “No available resource found for user fnmp\administrator when accessing desktop group Calculator. This message was reported from the Citrix XML Service at address [NFuseProtocol.TRequestAddress]. ”

        Please guide.


        1. And the warning message i see in the EventViewer log is:

          “to launch the resource ‘Controller.Camera’ using the Citrix XML Service at address ‘’. The XML service returned error: ‘no-available-workstation’.”

          By the way i did not touch beacons and Netscalar gateway part. Do i have to do anything with them?
          Your help is much appreciated and needed!!!


          1. Yes Carl.Machines are registered. And i used Citrix health assistant as well to check the communication between VDA device and DDC. It is successful.

          2. Hello Carl,
            I tried resetting receiver and followed your document receiver setting for windows except for SSON since i don’t need that. But still my citrix receiver do not show any remote applications or sessions in connection center.

            Please advise.

          3. Hello Carl,

            I forgot to mention one thing. my receiver 4.5 and VDA 7.9 are installed on the same machine. And, in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppLibrary , i see only one key value pair:
            “ApplicationStartDetails” point to only one app published from App-V and it’s file location is pointing to location where i copied the App-V .appv file.

            Is this the problem? This AppLibrary must have all the apps listed in Citrix Studio?

            Please help!!

  28. Hi Carl,

    Keywords are not working for xenapp services url however its working for web url.

    Is there any specific setting I need to enable ?

    My storefront running with 3.5 version

    Thank You
    Shekhar Reddy

    1. I don’t think I’ve tried keywords with XenApp Services URL. Why are you doing that instead of Receiver Self-Service?

      1. Hello Carl,

        My requirement is to place published applications shortcuts on user desktop. Therefore i found on internet about the Keywords which can help in this matter. I am not aware of Receiver Self-Service, I can manage the same with this feature ? If possible, could you please share the link or steps for the same.

        Thank you in advance.

        Shekhar Reddy

          1. With receiver 4.1 is not working however I am able to achieve with 4.3 and above

            Any suggestions

  29. Do I have to have Netscaler to connect to StoreFront externally? One of my coworkers says that the Netscaler provides encryption but isn’t that what the SSL certificate is for? Whether the certificate is imported to the StoreFront server and/or the Netscaler.

    1. If there is NAT between the users and VDAs, then yes, you need Gateway.

      There are two connections: HTTP and ICA. HTTP is easy. ICA requires Gateway.

  30. Hello Carl, and everyone else.

    We recently installed StoreFront 3.6 next to our StoreFront 2.6.

    One thing we are noticing, is that sometimes users can’t fill in the Username input field.
    Clicking in the Password field, and then pressing shift-tab allows you to type in the Username field.

    At first I though the input cursor simply wasn’t showing, but you really can’t type in the field.

    Is this a known thing perhaps? Can’t find it myself when searching for it (assuming I’m searching correctly).

  31. Hi Carl

    One Update … you Need to copy the Clients (Receivers) manually from one node to another. Elese amazing work!

  32. Hi Carl,
    I have a SF 3.6 front end delivering both xenapp 6.5 and 7.6 apps. My pilot group is on receiver 4.4x and I’m trying to disable session sharing (multiple app sessions from different devices). I have not been able to get this to work in 7.6 with this command > Set-BrokerAppEntitlementPolicyRule Test76 -SessionReconnection SameEndpointOnly.

    Also, how can I do this for 6.5 apps through Storefront?
    Any ideas?

        1. To fix the (disable roaming) issue I ran this via powershell on both of our delivery controllers.

          asnp citrix*
          Set-BrokerAppEntitlementPolicyRule “Delivery Group Name” -SessionReconnection SameEndpointOnly

  33. hi carl,
    I have upgraded my xendesktop from 7.1 to 7.9, and storefront to 3.6,
    since then the storefront session timeout was reset, we get logged off after +- 20 minutes,
    this was previously a setting in the web.config file, this entry is still there after the upgrade and set to 8 hours, now it can also be configured in the gui, there it was set to 4 hours, but we are kicked after <20 minutes, changing it in the gui to 8 hours and replicating config has no effect, session timeout is still <20 minutes, also when changing it to a lower value in the gui, it does not change the setting in the web.config file, so it seems this is stored now somewhere else.
    my storefront is still in classic mode enabled, is it possibe the gui settings only apply when classic mode is disabled ?
    do you have a suggestion where to find the effective value and how to change it ?
    thanks ! igor L.

  34. Thanks Carl, worked just fine.
    Is there a way to find out what users connected to a specific storefront Server?
    some sort of usage stats from specific storefront server.

  35. Carl, have you every ran into issues using a Netscaler VIP as a beacon? I have a client I have configured one-URL internal/external access to Storefront. My internal beacon is and is only resolvable internal. It resolves to a VIP I build on Netscaler listening on port 80. The backend servers for that VIP are the storefront servers, using port 81 (since I am also using Netscaler SSL-Offload for Storefront). I am also using a 302 redirect on IIS for Storefront to go to the main store ( I am having issues with receiver saying “could not contact internal” I am thinking about changing my backend services on the beacon VIP to point to the DDC’s running director (port 80). so the beacon is port 80 all the way through to see if it solves the issue. Not sure if the issue with with the 302 redirect or the change from http to https.


    1. Are you able to get a Fiddler trace while Receiver is enumerating beacons? Or maybe a network trace on the NetScalers?

      What do you see in the Receiver logs? I use Receiver Troubleshooter to capture a CDF trace. Then I use CDFControl to parse it.

      1. Carl, I actually got me answer here: 57 minutes in to the video there is a glorious explanation of Beacons and how they are used by receiver.

        So in my case: = BAD! (will disrupt internal beaconing) (because I just used my backend SF servers on the beacon for HA.

        If I change the beacon to = GOOD! (will not disrupt internal beaconing).

        The basic idea is that with beaconing, the URI of a website on the beacon CANNOT change, otherwise Receiver thinks you are behind a paywall, and basically receiver breaks w/ no error.

        So simply changing the beacon in SF to the Director VIP should work in storefront. I am going to try that today.

        1. Sorry some of this didn’t paste right into the comment section. having a 302 redirect to a different URI on an internal beacon breaks receiver basically.

  36. Hi Carl been reading your SF and Netscaler Gateway configuration documents to build my lab and I’ve been having some issues. I am using XD 7.6 and SF 3.6. I have 2 win10 VMs that are setup for PVS boot. Internally, (on the private network) I can login to my VM01 and get to my SF site and authenticate. I can stream my other VM (VM02) image with no problem.

    My problem is when I come through Netscaler GW. I have a Virtual server setup w/ a public IP and configured it based on your NSG config guide. I hit my SF site from the public internet and autheniticate just fine. I see my Windows 10 desktop and click to launch my ICA session. After the window opens that appears to be streaming my desktop I receive an error “The connection to “Windows 10 Users Group” failed with status. (There is no Citrix XenApp server configured on the specified address).

    I am not even using XenApp so I am not sure where it’s getting the error from. Any ideas what my problem could be? I’ve looked at my SF configuration, I’ve looked at the Netscaler config but nothing stands out. There are a couple things which are a bit strange like the “session policy web interface address” settings on the Virtual Server throws an HTTP 1.1 43531 error when using an FQDN ( If however, the “session policy web interface address” setting is set to (https://IP address/Citrix/SFWeb) then it displays my resources (desktops/apps etc).

    I’ve ran out of ideas so decided to post to see if you had any clues. I saw your post here “” which referenced the same error but was wondering if you could elaborate on the fix you mentioned “If StoreFront, you would need to deploy a NetScaler Gateway appliance to proxy the ICA traffic through one NAT’d IP address.”

    1. Are you trying to run the ICA connection through NetScaler Gateway?

      Is this problem in browser, Receiver, or both?

      Use to save the launch.ica file. Make sure there’s an SSLProxyHost entry. That means it’s using Gateway. If not, then there might be a DNS problem. StoreFront event viewer sometimes indicates if the connection is coming through Gateway or not.

      1. Hi Carl.

        I have the same problem. I access our XenApp 6.5 farm from the internet with the IE browser. The ica file doesn’t contain the SSLProxyHost entry and the address shows a private ip address from the XenApp server. any clue?

        Br. Ivo

          1. To proxy ICA through Gateway, in StoreFront, you need a Gateway set to HDX Routing. This causes StoreFront to replace internal IP with Gateway FQDN.

          2. when I set the Netscaler gateway to Authentication and hdx routing on the storefront server the access field says “Internal network only”. Is this right?
            I have set the Secure Ticket Authority servers to
            Those are the same servers as I have defined in NetScaler Gateway -> Virtual Servers -> name -> published applications

            When I start a published application I get the message: App “Calculator can’t be started”
            On the storefront server i get errors in the event viewer beneath Citrix Delivery Services

            Event 1
            The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address [CtxSTAProtocol.TRequestTicket]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.
            Event 2
            All the configured Secure Ticket Authorities failed to respond to this XML transaction:,
            Event 3
            Failed to launch the resource ‘Controller.Calculator’, unable to obtain a ticket from the configured Secure Ticket Authorities.

            The xml brokers are running on my xenapp controllers on port 8080. I am not able to define any ports when I configure the Secure Ticket Authority server on the storefront serer store (netscaler gateway settings).
            Our should this always talk on port 433 https?

            BR. Ivo

  37. Carl,

    The screenshots don’t match the text starting from the section “Delivery Controllers – SSL”
    all the way down to “Receiver for Web Pass-through Authentication”

    Best regards,


  38. Thanks Carl..I am facing an issue with additional Windows sign-in prompt even after authenticating to store front URL, when launching the application.. Do you know who to fix this issue??? I configured storefront and Citrix studio.

    1. Are you doing Single Sign-on to StoreFront? If so, you also need to configure Single Sign-on in Receiver?

      Or maybe you have RDP Prompt for Password enabled in a GPO somewhere.

      1. Thanks alot carl for your quick response. I found the root cause,

        Brief introduction to problem: I configured 2 delivery controllers, 2 store front servers and 1 xenapp 7.7 VDA (session host server (Server 2012 R2)). Created machine catalog and delivery group and installed applications, Published application using citrix studio. When launching the application, i am getting additional windows prompt.

        Solution: On xenapp 7.7 VDA (session host server). Earlier, I did not configured the role – Remote Desktop Services on that server. Now, I configured Remote Desktop Services Configuration for server 2012 R2. Click on Remote Desktop Services and clicked on Session collection and changed the security settings to Security Layer: RDP Security Layer; Encryption Level: Low and Unchecked “Allow Connections only from Computers running Remote Desktop with network level authentication”. That solved the problem.

        P.S: Click on the article below to navigate to RDS Basic configuration (Go to iv (a))

  39. Carl, at the configuration stage, you mention the command Set-ExecutionMode RemoteSigned
    This should be Set-ExecutionPolicy RemoteSigned

  40. All, Is there any way that I can hide all “Apps” under Application tab, and only want “Featured App Group” to display.

    Thank you,

    Vinh Le

      1. Thanks Carl, I finally figured out what the issue was. The Web.Config was not replicated so I manually did it.

  41. Please disregard my question about Receiver for Website moving, customization bit me. Wrong Web.config file

  42. Carl I noticed this with 3.5. I create the first store and Receiver for website. I then create the second store and receiver for website. I logoff the server and logon and then the second receiver for website is now located under the first store. Have you seen this?

  43. Just a hint for any that are trying an in place upgrade from 3.x to 3.5 as I have…. Post upgrade I couldn’t launch any apps. couldn’t find any hints on line but digging through the console I found that I had to set up site aggregation, as we have multiple Citrix farms…… this is a new option under the ‘Manage Delivery Controllers’ window.

      1. This is now disabled by default and you have to set them by going into “Manage Receiver for Web Sites” and then under “Workspace Control” there is 2 check boxes for the Reconnect button and Disconnect button. Once on at the main Storefront windows where your username is the drop down menu will now have the 2 options.

  44. I installed 3.5 also, but found thee “bugs”.

    But I mis something on the front page of StoreFront.
    I enable Workspace Control.
    But on the StoreFront page, when I log on, there’s (as example) no reconnect button.
    Do you missing that also?

    And I enable account-selfservice.
    I have to fill in my domain\username. That’s not ideal for users to fill in our domein name.

    And last one.
    I configured Storefront te communicate with XA65 controllers/xml brokers.
    But I can’t log in. I get a message: Could not load error message when I start a Desktop.

Leave a Reply

Your email address will not be published. Required fields are marked *