StoreFront 1909 through 3.5 – Basic Configuration

Last Modified: Oct 4, 2019 @ 1:56 pm


This article applies to StoreFront versions 1909, 1811, 3.16, 3.12.4000, and all other versions 3.5 and newer.

💡 = Recently Updated

Change Log

StoreFront Versions

The most recent StoreFront Current Release is version 1909. Starting with version 1811, the version numbering changed to a YYMM (year/month) format.

Current Releases are only supported for 6 months from release date and are expected to be upgraded every 3-6 months.

The user interface in StoreFront 1811 and newer is now the “purple” interface, which is different from versions 3.16 and older. Be aware of this change before you upgrade StoreFront. Customizations might not work in the new interface. There doesn’t appear to be any way to revert to the older user interface.

The most recent StoreFront Long Term Service Release (LTSR) is version 3.12.4000. LTSR versions are supported for 5 years from release date. Cumulative Updates are released periodically.

StoreFront Installation / Upgrade

The Citrix Virtual Apps and Desktops Delivery Controller Metainstaller has an option for installing StoreFront on the Delivery Controller machine. Or you can install StoreFront on separate dedicated servers.

  • If StoreFront will pull icons from multiple Citrix Virtual Apps and Desktops sites/farms, then StoreFront should be installed on its own machines.
  • For small environments, it might be OK to install StoreFront on the Delivery Controller machines. But usually they are separate machines.

To automate the installation of StoreFront, see Dennis Span Citrix StoreFront unattended installation with PowerShell.

The user interface in StoreFront 1811 and newer is now the “purple” interface, which is different from versions 3.16 and older. Be aware of this change before you upgrade StoreFront. There doesn’t appear to be any way to revert to the older user interface.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB RAM.

  1. If upgrading, do the following before beginning the upgrade:
    1. Other Users – Use Task Manager > Users tab to logoff any other user currently logged into the machine.
    2. Export the StoreFront configuration so you can restore it if something goes wrong.
    3. Stop the World Wide Web Publishing Service.
    4. Stop all StoreFront services.
    5. Close all PowerShell and StoreFront consoles.
    6. Citrix CTX226419 StoreFront upgrade fails to keep the setting in default ICA file. Take a backup of default.ica and usernamepassword.tfrm from C:\inetpub\wwwroot\Citrix\StoreName\App_Data. After upgrading StoreFront, replace the new default.ica and usernamepassword.tfrm with the old default.ica and usernamepassword.tfrm files to ensure you retain the old settings.
    7. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service. Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack Agent Service is Running.
    8. If SCOM Agent is installed, stop the Microsoft Monitoring Agent service.
    9. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix StoreFront 3.5
  2. Operating system support:
    • StoreFront 1909 through 3.13 are not supported on anything older than Windows Server 2012 R2.
    • StoreFront 1811 and newer are supported on Windows Server 2019.
  3. Go to the downloaded Citrix StoreFront, and run CitrixStoreFront-x64.exe.

    1. You can find the standalone StoreFront installer on the Citrix Virtual Apps and Desktops (CVAD) ISO under the \x64\StoreFront folder.
    2. Or you can install StoreFront from the Citrix Virtual Apps and Desktops ISO by running AutoSelect.exe.
    3. It’s on the bottom left of the splash screen.

  4. If installing from the standalone installer, in the License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Review prerequisites page, click Next.
  6. In the Ready to install page, click Install.
  7. In the Successfully installed StoreFront page, click Finish.
  8. If upgraded StoreFront that was connected to Citrix Federated Authentication Services (FAS), then make sure you upgrade Citrix Federated Authentication Services soon or else users won’t be able to launch icons from the upgraded StoreFront.

If this is a new install, skip to the Initial Configuration.

If you upgraded from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:

  1. In the StoreFront Console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page select Disable classic experience. Note: this page is no longer available in StoreFront 1903 and newer.
  5. Once classic experience is disabled, you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done.

  6. Go to Stores. In the middle, right-click your Store, and click Configure Unified Experience.
  7. Check the box next to Set the unified Receiver experience as the default for this store, and click OK.
  8. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

If you are upgrading from StoreFront 3.8 or older, then do the following to add SAML Authentication as an option. This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. If you did a fresh deployment of 3.9 or newer, then SAML is already added.

  1. Right-click your Store, and click Manage Authentication Methods.
  2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
  3. Check the box next to SAML Authentication, and click OK.
  4. If you don’t want to configure SAML at this time, then uncheck the authentication method. See the Federated Authentication Service article for SAML details.

Initial Configuration

In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to create the stores.

You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.

If this is a new deployment of StoreFront, do the following to perform the initial configuration:

  1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.
  2. The management console should launch automatically. If not, launch Citrix StoreFront from the Start Menu.
  3. In the middle, click Create a new deployment.
  4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the Hostname should already be filled in. For now, you can leave it set to the server name and then change it later once you setup SSL and load balancing. Click Next.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. The name entered here is part of the URL path (e.g. /Citrix/CorpStoreWeb)
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the Citrix Virtual Apps and Desktops (CVAD). This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Add the two Delivery Controllers. Change the Transport Type to HTTP. Click OK.
  11. If you have multiple Citrix Virtual Apps and Desktops sites/farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name). Click Next when done.
  12. In the Remote Access page, don’t check the box. Just click Next. You can set this up later.
  13. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. Click Next.
    Note: if you want Domain pass-through for browser users, you also need to enable it for Receiver for Web as detailed later in this topic.

  14. In the XenApp Services URL page, click Create.
  15. In the Summary page, click Finish.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail.

  1. Install StoreFront on the second server.
  2. Create/Import the SSL certificate, and bind it to the Default Web Site.
  3. Login to the first StoreFront server. In the StoreFront management console, right-click Server Group, and click Add Server.
  4. Copy the Authorization code.
    Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.

  5. Login to the second StoreFront server and launch the management console. In the middle, click Join existing server group.
  6. In the Join Server Group page, enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join.
  7. Then click OK.
  8. Go back to the first server. Click OK.
  9. Notice this message. It is good advice.
  10. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. You do that by right-clicking Server Group, and clicking Propagate Changes.
  11. When you propagate changes, the default web page might not be replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Customer Experience Improvement Program

StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.

See for additional places where CEIP is enabled.

Citrix Analytics

StoreFront 1906 and newer supports uploading to Citrix Analytics.

The client devices must be running Workspace app 1903 and newer.

See Onboard Virtual Apps and Desktops Sites using StoreFront at Citrix Docs.

Store Name – Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.

Note: Some at Citrix Discussions (A protocol error occurred while communicating with the Authentication Service) have reported authentication issues after following this procedure. It’s probably cleaner to uninstall StoreFront and reinstall it.

  1. In the StoreFront console, on the left, click Stores.
  2. Right-click your store, and click Remove Store.
  3. Click Yes.
  4. On the left, right-click Stores, and click Create Store.
  5. In the Getting Started page, click Next.
  6. In the Store Name page, enter a name for the store. The name entered here is part of the URL path (e.g. /Citrix/CorpStoreWeb).
  7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
  8. In the Delivery Controllers page, click Add.
  9. Enter a descriptive name for the Citrix Virtual Apps and Desktops farm. This name does not need to match the actual farm name. (If StoreFront 3.5, don’t put spaces or periods in the farm name)
  10. Change the Type to XenDesktop or Citrix Virtual Apps and Desktops.
  11. Add the two Delivery Controllers.
  12. Change the Transport Type to HTTP. Click OK.
  13. If you have multiple Citrix Virtual Apps and Desktops farms, feel free to add them now. Or you can add older XenApp farms. (If StoreFront 3.5, don’t put spaces or periods in the farm name) Or later, you can add farms in Store > Manage Delivery Controllers. Click Next when done.
  14. In the Remote Access page, don’t check the box and click Next. You can set this up later.
  15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-through from Citrix Gateway. Click Next.
  16. In the XenApp Services URL page, click Create.
  17. In the Created Successfully page, click Finish.

SSL Certificate

StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates. There are two options for StoreFront SSL.

  • SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP.
  • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you to use SSL protocol between the load balancer and the StoreFront servers.

If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP.

For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers. Or a wildcard certificate could match all of these names.

In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match for every email domain. Usually the only option to match multiple email domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple Subject Alternative Names, each beginning with discoverReceiver. If you don’t plan on implementing email-based discovery, then you don’t have to worry about these discoverReceiver Subject Alternative Names.

If the certificate does not match, then users will see this message when attempting to use email discovery in Citrix Receiver.

When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the same as the Load Balancing FQDN. The remaining Subject Alternative Names should be for every email domain.

When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.

There are several methods of creating a certificate for StoreFront.

  • If you are implementing Single FQDN for internal and external users, then the certificate for external NetScaler Gateway can also be used for internal StoreFront.
    • Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN.
  • If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You can use IIS to request the certificate. You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy, Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.

  • If all internal machines are domain-joined, then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify Subject Alternative Names.

Once the certificate is created or imported, you need to bind it to IIS:

  1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
  2. Click Add.
  3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name field. Click OK, and then click Close.

Delivery Controllers – SSL

Delivery Controllers can be SSL enabled by using one of two methods:

Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to use SSL when communicating with the Delivery Controllers.

  1. In the StoreFront Console, on the left click Stores.
  2. In the middle, right-click your store, and click Manage Delivery Controllers.
  3. Highlight the deployment and click Edit.
  4. The Servers list must contain FQDNs that match the certificates installed on those servers.
  5. Change the Transport type to HTTPS.
  6. Click OK twice.

Socket Pooling

Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a pool of sockets, rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance, particularly for Secure Sockets Layer (SSL) connections.

Only enable Socket Pooling in StoreFront 3.15+, StoreFront 3.12.2000+, and StoreFront 3.0.6000+. (source = CTX227903 TCP Ports get exhausted on the StoreFront server)

To enable socket pooling:

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Configure Store Settings.
  3. On the Advanced Settings page, check the box for Enable socket pooling.


Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries:

  • StoreFront Load Balancing FQDN (e.g. = Load Balancing VIP in the local datacenter.
  • NetScaler Gateway Callback FQDN (e.g. = NetScaler Gateway VIP in the local datacenter.

Base URL – Change

  1. Configure load balancing of the StoreFront servers, including SSL certificate.
  2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  3. Enter the StoreFront Load Balancing FQDN as the new Base URL in format.
    1. Receiver requires that the Base URL is https. It won’t accept http.
    2. If you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the Single FQDN instructions.
  4. Click OK.

If the Base URL is https, but you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to do the following:

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click OK, and then click Close.

Default Web Page

After changing the Base URL, you’ll need to update the IIS Default Website.

  1. On the left, right-click Stores, and click Set Default Website.
  2. Check the box next to Set a Receiver for Web site as the default page in IIS, and click OK.
  3. Click Yes to overwrite.
  4. If you go to C:\inetpub\wwwroot and edit the file web.config, you’ll see the redirect.

Authentication Configuration

  1. In the Citrix StoreFront console, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Authentication Methods.
  3. Check the boxes next to Domain pass-through and Pass-through from Citrix Gateway.
  4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web, go to a Delivery Controller and run the command
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. Run asnp citrix.* first. In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
  5. Click the top gear icon, and then click Configure Trusted Domains.
  6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway.
  7. Select one of the domains as the default.
  8. If desired, check the box next to Show domains list in logon page. Click OK.
  9. Click the top gear icon, and then click Manage Password Options.
  10. Make your selection, and click OK.
  11. Be careful with password changes. Any time somebody changes their password through StoreFront, a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to periodically delete these local profiles.
  12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.
  13. If you have Citrix Virtual Apps and Desktops Platinum Edition or Premium Edition and installed Self-Service Password Reset, you can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. This option is only available if your Base URL is https (encrypted). See the following for detailed implementation guides.
  14. Change the selection to Citrix SSPR, and click Configure.
  15. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). Click OK three times.
  16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
  17. The logon page also has an Account Self-Service link.

  18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs.
    • StoreFront 3.6 and newer can be workgroup members without joining a domain.

Citrix Online (3.11 and older)

This is only configurable in StoreFront 3.5 through 3.11. This feature was removed from StoreFront 3.12.

  1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left, click the Stores node.
  2. In the middle, right-click your store, and click Configure Store Settings.
  3. On the Citrix Online Integration page, uncheck all three boxes, and click OK.
    Note: This page is not available in StoreFront 3.12 and later.

Unified Receiver Experience (StoreFront 1811 and older)

If you did a clean install of StoreFront 3.5 through StoreFront 1811, then the newer UI will already be enabled, but Unified Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic UI to enable the newer UI.

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Receiver Experience page (only visible in StoreFront 1811 and older), select Disable classic experience. Click OK, and click Close.
  5. On the left, click Stores. In the middle, right-click your store, and click Configure Unified Experience.
  6. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

Customize Receiver Appearance

If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Additional customization can be performed using the SDK.

You can also Manage Featured App Groups.

In StoreFront 1811 and newer, Featured App Groups are shown in the user interface as Collections.

  • The HOME page shows the Feature App Groups in a ribbon with arrows to let the user see more Featured App Groups. The ribbon view is limited to three icons per Featured App Group. When the user clicks a Featured App Group, every icon in the Featured App Groups is shown.
  • The APPS page has a Collections tab showing all collections and the number of icons in each Collection.
  • When the user clicks a collection, all icons in the collection are shown. The user can click Add All on the top right to mark all of the icons as Favorites.

To create Featured App Groups:

  1. Go to Stores > myStore > Manage Receiver for Web Sites > Configure.
  2. In the Edit Receiver for Web site window, on the Featured App Groups page, click Create.
  3. Give the Collection a name and a description.
  4. At the bottom, there are three methods of adding icons to the Feature App Group.
  5. If you select the Keyword option, then enter a keyword that will be added to the published apps that are in this collection.
  6. In Citrix Studio, go to the Properties of a published application. In the Description field, at the end, enter KEYWORDS:myCollectionKeyword.

In StoreFront older than version 1811:

  • Featured App Groups are displayed at the top of the Apps > All page.
  • By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group.
  • Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.
  • If you want to display more than 3 apps per group, see Michael Bednarek at Modify Receiver for Web site at Citrix Discussions.

Receiver for Web Pass-through Authentication

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click OK.
  5. If the StoreFront URL is in the browser’s Local Intranet zone, then you’ll see a prompt to automatically Log On. This only appears once.
  6. If you want to default to Pass-through without any user prompt, then see Citrix Blog Post Configuring domain pass-through as your default authentication method. 💡

Workspace app for HTML5 1910

Workspace app for HTML5 is the new name for Receiver for HTML5.

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable.
  5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at Citrix Docs for more information.
  6. Click OK, and then click Close.
  7. Download the Workspace app 1910 for HTML5 (version
    Note: new versions of Workspace app for HTML5 are released every two weeks.

  8. Install the HTML5 Workspace app (CitrixHTML5Client-x64.exe) on one of the StoreFront servers. It installs silently. When you Propagate Changes in StoreFront console, the Workspace app for HTML5 will be copied to the other StoreFront servers.

  9. To see the installed version of HTML5 Workspace app, in StoreFront console, click the Stores node on the left.
  10. In the middle pane, in the bottom half, switch to the Receiver for Web Sites tab. You might have to click Refresh to see the new version.

HTML5 Workspace app configuration

  1. Copy/paste of text using Ctrl+C and Ctrl+V – HTML5 Workspace app version 1907 app adds support for copy/paste of text using Ctrl+C and Ctrl+V and the feature is enabled by default. More info at Enhanced clipboard experience at Citrix Docs.
  2. Multi-monitor – HTML5 Receiver 2.6.5 adds a multi-monitor feature, which is enabled by default.
  3. To configure HTML5 Receiver, edit the file “C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js”.

    1. Customer Experience Improvement Program (CEIP) is enabled by default. To disable CEIP in HTML5 Workspace App 1906 and newer, find the first analytics section and change enabled to false. 💡
    2. To disable CEIP in HTML5 Workspace App 1905 and older, search for the ceip section, and change it to false.
  4. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  5. For VDA 7.15 and older, optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for HTML5, and not with regular Receiver.
    Note: in VDA 7.16 and newer, the PDF Printer is included with the VDA installation and no longer needs to be installed separately.

  6. Note: as of Receiver for HTML 2.0, it’s no longer necessary to install App Switcher on the VDAs.

Other HTML5 Receiver configurations you can change by either editing C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js, or use the Citrix Workspace app (earlier known as Citrix Receiver) for Chrome and HTML5 – Configuration Utility downloadable from CTX229141.

  • HTML5 Receiver 2.6.4 improves PDF printing in Chrome and Firefox. Enable it by setting supportedBrowsers to true.
  • When printing from HTML5 Receiver to the Citrix PDF Printer, the user must click Continue to show the PDF. You can get rid of this prompt in 2.5.1 and newer. In the configuration.js file, scroll down to the line containing printDialog and set it to true.

  • From About Citrix Receiver for Chrome 2.0 at Citrix Docs: The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.


From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an iPad we are unable to actually tell whether you have the Receiver app installed or not, so we can’t do anything more intelligent out of the box.

There are two ways around this. Firstly, any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on, and choosing “Change Receiver”. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on.

If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5.  See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3.5 for the Javascript code.


If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“. To enable this option in IE or Firefox, see Emin Huseynov Citrix StoreFront 3.0 and HTML5 client.


From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.


Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • How to view HTML5Client log file

Deploy Citrix Workspace app / Receivers

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine (plug in).
  5. Change both source drop-downs to Local files on the StoreFront server.

    1. For Windows, download one of the following:
      • Workspace app for Windows version 1909Workspace app is the new name for Receiver.
      • Receiver for Windows version 4.9.8000 (LTSR)
    2. For Mac, download Workspace app for Mac 1906Workspace app is the new name for Receiver.
    3. Click each of the Browse buttons and browse to the downloaded Workspace app and/or Receiver.
    4. You can optionally enable Upgrade plug-in at logon.
    5. Click OK when done, and Close when done.
  6. If you prefer for users to download Workspace app from the Citrix website, then note that StoreFront defaults to downloading Receiver instead of Workspace app. To change it to Workspace app, do the following:
    1. In StoreFront Console, in the Deploy Citrix Receiver page, change Windows source and Mac source to Files on remote server (through URL).
    2. Enter the following paths:
      Windows Receiver =
      Mac Receiver =
  7. When users connect to Receiver for Web, they will be prompted to install or upgrade.

Safari 12 and Newer

Safari 12 and newer disable NPAPI, so StoreFront 3.15 and older must be configured to use Receiver Launcher instead of NPAPI. StoreFront 3.16 and newer versions of StoreFront will already have this modification.

  1. Go to C:\inetpub\wwwroot\Citrix\StoreWeb and edit web.config using an elevated text editor.
  2. Near line 56, which starts with <protocolHandler, change the platforms attribute to the following. Essentially, you’re adding Safari 12 on Macintosh to the end of the regex. (source = Citrix Blog Post NPAPI support is being removed from Safari 12)
    "(Macintosh|Windows NT).*((Firefox/((5[2-9]|[6789][0-9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))|Macintosh.*Version/(1[2-9]|[2-9][0-9]).*Safari/"

  3. Save the file. Later, you will need to Propagate Changes.

Receiver for Edge

The Receiver for Web experience in Microsoft Edge is not ideal. Every time a user clicks an icon, the user has the click the Open button after the .ica file is downloaded.

Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling the Receiver Launcher for Edge. Use your preferred text editor to open web.config for the RfWeb site you would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web.config). Locate the line like this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).*((Firefox/((5[3-9]|[6789][0-9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!.*Edge)". Remove (?!.*Edge) and save the file.

But once you do that, you get a new switch apps prompt every time you launch an icon from Edge.

To stop the switch apps pop-up, on the client side, edit the registry, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys), create DWORD value WarnOnOpen, and set it to 0 (zero).

Receiver for Web Timeout

  1. On the left, click the Stores node.
  2. In the middle, right-click your store, and click Manage Receiver for Web Sites.
  3. Click Configure.
  4. On the Session Settings page, set the Session timeout as desired, and click OK.
  5. If you are using a NetScaler, you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings (right pane) => Client Experience (tab) => Session Time-out (mins).

  6. From CTX215701 How to Configure Session Timeout on StoreFront: If you increase the session timeout for RfWeb to be more than 1 hour, you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
  7. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.

Favorites, Categories, and Default Tab

By default, when a user logs into StoreFront, the HOME tab or Favorites tab is selected. Users can go to other tabs to add icons to the list of Favorites.

In StoreFront 1811 and newer:

  • Favorites are shown on the HOME tab.
  • Favorites are also shown on the APPS view on the Favorites tab.
  • The user can click the star icon next to a published icon to mark that published icon as a Favorite and add it to the HOME view and Favorites tab.
  • On the APPS view, the user can expand the Categories drop-down and select a Category to view all icons in that Category.
  • Categories are configured in the Properties of the published application on the Delivery page.
  • Collections are configured as Featured App Groups.

In StoreFront older than 1811:

  • There’s a FAVORITES view.
  • On the APPS or DESKTOPS views, the user can click the Details link next to a published icon.
  • Then the user can click Add to Favorites to add the icon to the FAVORITES view.

Favorites can be controlled by the administrator:

  • You can completely remove the FAVORITES or HOME views by going to Stores > myStore > Configure Store Settings > User Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

  • To force a published application to be favorited (subscribed), use one of the following keywords in the published application description:
    • KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
    • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite.
    • With Mandatory applications there is no option to remove the application from Favorites.
  • Citrix Blog Post How to implement dynamic landing pages in StoreFront has code for the following: If favorites exist, go to favorites tab. If favorites do not exist, go to the store tab. 💡
    //If favorites exist, go to favorites tab. If favorites do not exist, go to the store tab.
    var favoritesExist = false;
    CTXS.Extensions.sortMyAppList = function (app_array,defaultSortFn) {
    //This version checks if the amount of user favorites are greater than or equal
    //to "favoriteThreshold".
      var favoriteThreshold = 1;
      var favoriteCount = 0;
      for (var i = 0; i < app_array.length; i++){ if (app_array[i].canBeRemoved()){ favoriteCount++; } } if (favoriteCount >= favoriteThreshold){
        favoritesExist = true;
      //This should always be called at the end
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
      if (favoritesExist == false){
  • Trentent Tye has a simple customization for C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js to default to the APPS view if the user doesn’t have any favorites. See Citrix Storefront – Adventures in customization – Default to “Store” view if you have no favourited app’s.
    CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
     /* If the user has no favorited apps, set the view to the apps view */
     if (CTXS.Store.getMyApps().length == 0) {
  • You can change the default view and view visibility by going to the Stores > myStore > Manage Receiver for Web Sites > Configure > Client Interface Settings page.
  • In StoreFront 1811 and newer, if you want to default to the APPS tab with Categories view expanded, then see CTP Sam Jacobs at Storefront 1811 – Default to Categories view at Citrix Discussions. Or see Citrix Blog Post How to land on the categories view in StoreFront 1811+.

    • Add the following to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js.
      Note: if you already have afterDisplayHomeScreen in your script.js file, then you’ll need to merge them.
      function categoriesDelay() {
      CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
  • In StoreFront older than version 1811, if you change the default view to APPS, then you might also want to default to the Categories view instead of the All view.

    • When publishing applications in Citrix Studio, on the Delivery page, specify an Application category so the applications are organized into folders.
    • To default the Apps view to the Categories view instead of the All view, add the following code to the end of the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at Storefront 3.0 – change default view at Citrix Discussions.
      CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
      CTXS.Extensions.onViewChange = function (viewName) {
        if (viewName == 'store') {
          window.setTimeout(function () {
          }, 0);

    • Then when you login to StoreFront you’ll see Apps > Categories as the default view. This works in Receiver too.


  1. On the left, right-click Stores, and click Manage Beacons.
  2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable externally.
    If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally.
    If you are doing Single FQDN, then you can’t use the StoreFront FQDN. Instead, you must use a different internal website for the beacon. If you need to support internal iPads, due to differences in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any internal website.
    If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal Gateway to achieve the same goal.
  3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. You can use any reliable Internet DNS name. Click OK when done.

Propagate Changes

Any time you make a change on one StoreFront server, you must propagate the changes to the other StoreFront server.

  1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
  2. You might see a message saying that you made changes on the wrong server.
  3. Click Yes when asked to propagate changes.
  4. Click OK when done.
  5. When you propagate changes, the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web.config manually to each node.

Export/Import StoreFront Configuration

Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group:

  • Export-STFConfiguration
  • Import-STFConfiguration

See Export and import the StoreFront configuration at Citrix Docs for details.

Logon Simulator

ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any machine to periodically test app launches from StoreFront.

The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your monitoring tool.

Related Pages

215 thoughts on “StoreFront 1909 through 3.5 – Basic Configuration”

  1. 7.1906 I noticed that after upgrading the ReceiverHTML5 client on my primary SF server and propagating the changes, that that it didn’t copy across (for eg. the configuration.js was pre-1906). Only noticed it as I was manually disabling CEIP (now called “Analytics”)

  2. Thanks Carl for this blog

    Instead of setting the Receiver for Web timeout value as a Global value on the Netscaler:

    “If you are using a NetScaler, you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings (right pane) => Client Experience (tab) => Session Time-out (mins).”

    could we not change the session profile bound to the NSGW VIP instead (override global) ? We use our Netscaler for more than just Storefront so not sure of the other impacts of setting a global value.

  3. Afternoon Carl,

    Just a quick question as im strugglign to find a valid answer anywhere else,
    Is the export/import process supported from 3.13 to 1906?

    as when I try to import the config from our existing 3.13 environment onto a blank 1906 install its failing with ‘the version of the chosen storefront configuration – – does not match the installed version’

    this leads me to believe its unsupported? which would be a shame

  4. Version 1811 across the board. I modified the html5 configuration.js to enable/disable various settings. All seem to work as intended except for “urlredirection” : true,
    If I leave it as false, then click on a published url, it pops up an option to open on my client or server. both work fine. however i dont want them to have the option to open on the server.
    If i set “urlredirection” : true, in the configuration.js, when I try it it opens in the tab to load but I do not get a prompt or error and it eventually closes the tab with nothing happening.
    Any suggestions to try/check?

  5. Hi Carl, got an odd question that i hope you might be able to help on 🙂 Currently running SF 3.13 and have seen a difference in behavior between viewing icons via Receiver and via the URL in IE11.
    We have delivery groups for the desktops set up in XD 7.15 LTSR and the Win10 machines are static assigned via a delivery group. within Receiver, if a user does not have a static assigned desktop, they do not see the icon, but from the web page in IE11 they do see the icon? this leads to confusion as users assume they have an assigned desktop and try clicking it – to which they just get the helpful message “failed to launch desktop” 🙁

    do you know of a way to prevent the icon showing via the web page? short of locking down the delivery group and having to manage the access all the time to only allow access to the DG if the user has an assigned machine?

        1. I’ve seen pass-through authentication cause different accounts to be logged in both methods.

          You have a Delivery Group with static machines? Does that Delivery Group have a Desktop Assignment Rule? Who is assigned to the rule? You could always remove the rule.

          1. you got it 🙂 yes an assignment rule had been created accidentally despite being static assigned only. disabled the rule and the issue has gone away 🙂 Weird that we got the different experience in the 2 access methods but at least we are sorted now 🙂 Thanks again!

  6. Looking for advice.

    I have two StoreFront servers running 3.12.1000 (LTSR 7.15 CU1) load balanced behind a NetScaler. These are on Server 2012 R2. I’m planning to migrate to Server 2016 this year and replace the existing systems.

    I plan to keep my existing configurations, all of which I have documented. I do plan to look into the export/import options as well.

    I’m thinking I have a couple options, but not sure which is best.

    1. Add new servers to existing Server Group, add to the LB after some testing and eventually change over. Then remove and decommission other servers. My concerns here are adding to the Server Group and if that will have any impact on production.

    2. Create a completely new store and configure exactly as existing.

    3. Create new store by exporting/importing the configurations and web files.

    I like option 1 but am wary about how that will work out. Any input is appreciate.

  7. Did you ever solve this issue? i have the same issue today, missing alot of serviecs on storefront nr2 and not able to join the server group.

  8. We have a Citrix Gateway, that routes to a particular storefront pair with autodiscover. For some reason our external receiver clients never timeout. By timeout I mean I never have to re-auth to them. The ICA sessions seem to timeout fine, its the actual auth into receiver that doesn’t expire. Thoughts?

  9. Anyone have any issues with the Storefront servers not showing up in the Citrix Library in SCOM after upgrading to 1811. I am not able to install the Storefront SCOM agent after the upgrade.

  10. hi carl,
    Current setup that we have is in cloud citrix. But thin client is not compatible with it so we are going to use a thin client web browser and a dedicated storefront. but when we are using http application is published but if https it is not working but we have provided certificates is there any ports that we need to add? 80 and 443 are already open

    1. 443 is all you need. Can other devices connect to the website on https? Maybe your thin client is missing ciphers. A network trace can show you the SSL handshake.

  11. HI Carl

    We are in the process of building Citrix 7.15 LTSR and I have build one ddc, one storefront for this initial setup. and it is working fine and can successfully launch the store URL. However, I am struggling to add the new storefront 3.12 server to the existing server group as it is throwing Event ID 2 with following message. (Event From the primary storefront server)

    Join failed. Exception attempting to obtain Server Group details from the Authorizer.
    System.Security.Cryptography.CryptographicException, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Keyset does not exist

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
    at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
    at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
    at Citrix.DeliveryServices.Admin.Utils.Certificates.Certificate.get_RawData()
    at Citrix.DeliveryServices.ClusterService.Service.ServiceController.GetClusterDetails(ClusterDetailsRequest clusterRequest)

    When I looked into the secondary storefront server, Citrix configuration replication service doesn’t exist and NT service/Citrix configuration replication service not available in the administrators group. Our environment is with server 2016 vanilla build with no hardened/lockdown policies. Any suggestions on this would be highly appreciated.

      1. Yes. I have tried all these options, however as mentioned in my original comments, I can’t see the NT Service\citrixconfiguration replication service in secondary server.. I tried to install and configure a new store with new set of 2016 servers , but getting the same error.

  12. Did modifying that regular expression on the StoreFront web.config file seem to break the Receiver detection for anyone else? After changing that expression if I uninstall my Mac Receiver and try to log back into StoreFront it enumerates and skips the detection and prompt to install the 12.8.1 Receiver we are pushing out.

  13. I am trying to create a duplicate published and only have it viable in the zone the machine opening receiver is located in so as to have the application run from a local host in the zone the receiver is located. Could you point me to the documents defining this sort of configuration?

    1. I think you need to configure your load balancer to add the header X-Citrix-ZonePreference with zone name to your StoreFront HTTP traffic from these clients. Or, if the users are always in the same location, then you can configure zone preference based on user group.

  14. Hi Carl,

    i have a strange issue

    when internal users (my domain users) trying to access my XenApp farm through Citrix receiver either on Netscaler either Storefront directly, receives Socket error 10038 unable to contact server, in the same time external access through Netscaler works fine.

    Have you something in mind?

    Thanks in advance

    1. Are you saying that it works through a browser but not through Receiver?

      When going internal direct, I think Citrix defaults to returning the FQDN of the VDA instead of the VDA’s IP address, which means the client machine must be able to DNS resolve the VDA’s FQDN. When going through Gateway, Receiver only connects to Gateway, and doesn’t need to connect directly to VDAs.

      1. Not working either through browser nor through Receiver and the DNS is able to resolve successfully VDA’s FQDN.

        Citrix farm is deployed on Azure

        when i try through Azure VM with receiver internally the connection worked without socket error

        but my local users establish connection through VPN tunnel with Azure VDA ‘s

        Regarding above information , can you think something else? maybe beacons?

        Thanks in advance

  15. Hello Carl,

    Thanks for all that information! I have a doubt about which kind of receiver I’ll use in my Xenapp 7.x enviroment, I have the lastest version of SF but I cannot find any discuss about HTML5 vs Windows Receiver, Pros vs Cons, something like that, did you wrote some article about that or do you know any one?

    Thanks !

    1. Windows Receiver is fully functional. HTML5 Receiver has fewer features, but does not need to be installed. HTML5 Receiver also has a requirement for SSL WebSockets, or internal NetScaler Gateway, whereas Windows Receiver works fine without ICA certificates.

  16. Hello, looking for some info on whether there is a limit on how many sites/farms can be managed through a single store in Storefront 3.0.1? Any help is appreciated

  17. Hi Carl. I just recently did an in-place upgrade from Storefront 3.7/Director 7.11 to 7.15LTSR CU (SF 3.12.2000.8)
    When I completed the upgrade and rebooted my Storefront server, it lists 7.15LTSRCU for Director and Storefront in the Programs and Features, but still has Citrix XenDesktop 7.11. There are still folders for XenDesktop, but when I launch Storefront it opens the new version. I’m afraid if I uninstall it, it might remove files from the upgrade. Any ideas?

  18. Just a question on Storefront Upgrade. I am upgrading to 3.12 and you mentioned that we need to export configuration. In a normal upgrade, does it actually wipe the configuration or you export just because of a “just in case” situation – to be on the safe side..

  19. Hi Carls,
    I have two storefront servers having version 3.6 running on WS 2008 R2. I want to add two new storefront servers having version 3.12 and want to propagate the changes from existing servers to New servers. Just want to confirm if propagation possible with different Storefronts versions servers running on different windows servers.

    1. Not supported. You’ll need to upgrade the existing ones first. Or export the config from old and import to new.

  20. Hello Carl,
    How can I set up two stores one expecting http and the other expecting https on the same server.

    Essentially I currently have users using the http site, but I am deploying new machines with the receiver on them. I want to deploy a SSL store since I am pushing out receiver withouth affecting my existing users’s experience. As such I need a store with an https base URL ( I think) can I host multiple BaseURLs on the same SF server to accomodate the secure and insecure stores?

    Thanks for the wealth of information you provide.

    1. I don’t think browsers care how you connect. Receivers insist on https.

      In the RfWeb > Configure > Advanced Settings, make sure Loopback Processing (the third line) is set to OnUsingHttp.

      http vs https is an IIS and Base URL setting. It has nothing to do with the store.

  21. Hosts file:

    If the Load Balancing FQDN (e.g. and NetScaler Gateway Callback FQDN (e.g. are listed in DNS why would we need the Hosts File edited?

    We have 2 x HA pair of NetScalers, DMZ Pair are the NetScaler GW and Internal HA Pair are the NLB pointing at our 2 x StoreFront Servers. Everything is 7.15 are NetScaler 12

    We use a signal FDQN for access both internally and externally.

    1. It used to be more important when StoreFront did not support loopback and you had to add the Base URL FQDN with address.

      Different environments resolve DNS names in different ways. I usually ping the name to make sure it resolves to the Gateway that I need it to go to. If not, then I modify the hosts file.

  22. Hi, I am having problems to open apps from remote access, I have the Storefront natted and this was access by the client, however after login-in in the web interface, and clicking the application users receive this error “unable to launch you application, ……. cannot connect to the citrix xen app server. there is no citrix xenapp server configured on the specified address.”

  23. Hi Charl, I was wondering if you know of a way to suppress the ‘Open Link’ window that popups when passing a file to the local browser. The popup window only remembers the ‘Yes, Open in device’ for the current session, next time round it shows it again. Our users don’t like it popping up all the time

  24. Hi Carl,

    I have an issue regarding to SSL certificate.

    We use XenApp&XenDesktop 7.15.1000. StoreFront server is XDSF01(primary) and XDSF02. Base Url: https://citrix.companyname.corp/. We use InfoBlox as DNS solution. I add “citrix” as alias to XDSF01 and XDSF02 servers.

    The issue is when connecting to https://citrix.companyname.corp/, users will see a certificate error webpage. “There is a problem with this website’s security certificate.” Users have to click continue to get to the StoreFront website. However, if connecting to https://xdsf01.companyname.corp/, then there is no error. Users can get to the StoreFront website directly.

    I use this way to create certificate: MMC – Certificate(Local Computer) – Request New Certificate – Properties – Add Common name “CN=citrix.companyname.corp” and Add DNS “citrix.companyname.corp”.

    However, after certificate created, in Certificate Details tab, I see the value of Subject Alternative Name is automatically changed to “DNS Name=XDSF01.companyname.corp”. I tried several times but still the same.

    Do you think it is the cause of my issue? If so, can you please kindly advise how to fix it? Thanks a lot.

      1. Yes, we are using Microsoft CA. Can you please advise me where I can check the setting for “accept SAN”? Thanks.

          1. Hi Carl,

            I ran the command on our CA server (Win2008r2 OS) and restarted the certificate service, but I still cannot add SAN in the certificate.

            The certificate template I am using is Computer. Here is how I requested a certificate. On one of StoreFront server, MMC -> Certificate(Local Computer) -> Request New Certificate -> Configured by your administrator -> Under “Active Directory Enrollment Policy”, check “Computer” template -> click Properties to add Common name “CN=citrix.companyname.corp” and add DNS “citrix.companyname.corp”. -> Enroll.

            Btw, we use F5 to load balance two StoreFront servers. It works well. We don’t have NetScaler. The only issue for us is this certificate error when accessing storefront through https.

          2. I wonder if the Computer certificate template won’t accept subject names in the request. Can you try the Web Server certificate template?

  25. Carl,
    I am having a issue with the timeout for storefront. If I set my session time out to 15minutes and I have an app that I am actively working in it still time out so if I need to login to another app I am prompted to login again. Is there a workaround to this?

    1. StoreFront and sessions are separate timeouts. There’s no link between them. There’s no way for StoreFront to know that you are actively working in a published app.

      1. ok, how about the gateway. I am using netscaler, can I have the gateway time out instead or will it not know that I have an active app running?

        1. Gateway has a timeout for StoreFront (AAA) but I don’t think it applies to sessions (ICA). Otherwise, same story – AAA / StoreFront doesn’t know what you’re doing in ICA.

          1. ok. here is what I am trying to accomplish, maybe you can let me know if it is possible and how to go about getting it done.
            user connects to NS GW after they authenticate it passes them to SF. They open a published app and they are working, I want to be sure that if they walk away and the session is inactive for let’s say 15 minutes that the app closes and the session terminates so they are forced to login again. (the app close part I am using GP for remote desktop which works). The other part is that I need that session to close so they are forced to login and if they are still active in a specific app for more than 15 minutes and they then decide to open another app it should open without prompting to login.
            Please let me know how to go about getting this done.

          2. RDS Timeouts (GPO) control session idle timeouts.

            Receiver for Web timeout is usually much lower (e.g. 15 minutes) and usually times out much quicker than the session. It’s the Receiver for Web timeout that dictates if a login is needed again.

            If users launch multiple apps, it might be easier for the user if you publish a desktop. Once on the desktop, the user can launch anything. And only the session (RDS) timeout applies.

  26. Hello Carl,

    I’ve tested to create a new account without password, but when I logon to SF without inputing the password, it prevents me from logon and message shows “Please input your password”.
    Is this by design? Or any configurations we can change to logon without password.

    1. Are you trying to do Anonymous apps? If so, you can create a Store that’s specifically for Anonymous.

      Or are you trying to do Citrix FAS?

Leave a Reply