NetScaler Gateway session profiles and Receiver for Windows RT clients

This one catches me out occasionally, because there’s only about three people in the world who use a Surface tablet and now and again one of those three people is a customer of mine.  Symptoms are an otherwise functioning Citrix XenApp or XenDesktop environment can be accessed (via a NetScaler) by any Receiver client with the exception of the Receiver for Windows RT client.  The usual symptoms are after entering the server URL and authentication credentials, you will get a blank “My Apps” screen and the progress/busy dots (I’m sure there’s an official name for them) just continually zip across the screen, the apps will never actually populate.

Receiver RT Screenshot

The issue lies with the URL in the Session Profile.  Your URL should look like the following screenshot:


Ie, it should read https://storefront.ActiveDirectoryFQDN.internal and there should be no trailing slash.  Bizarrely though, most Receiver clients will tolerate any of the following:

1: https://storefront.ActiveDirectoryFQDN.internal/Citrix/StoreName/
2: https://storefront.ActiveDirectoryFQDN.internal/Citrix/StoreName
3: https://storefront.ActiveDirectoryFQDN.internal/
or the correct
4: https://storefront.ActiveDirectoryFQDN.internal

The exception to this is the Receiver for Windows RT client, it works with the 2nd, 3rd and 4th options but not the first, displaying the behaviour described at the start of this post.  So either remove the trailing slash from your URL, or remove the sub-paths from the URL, and you should be good to go!

2 thoughts on “NetScaler Gateway session profiles and Receiver for Windows RT clients

  1. Ok, I’m going crazy over this issue. I will say that my progress/busy dots stop. I’m able to right click and see a plus sign to add applications. Before seeing your post, I was pointing everything using http. I changed that yesterday to use https and created an internal cert for my storefront. I’ve tried using a session policy calling WindowsRT and then one trying CitrixReceiver. I’ve also tried using clientless on with a clientless policy and a different policy set to allow.

    I’ve called the Citrix Receiver team and they tell me this is the way it’s supposed to look, but I’ve found post like this saying differently.

    Do you know of anything I may be missing? I just hate telling my surface users and windows RT users that you need to right click or hit shift plus F10.

    Thanks for the post on this, it is at least leading me in a new direction.

  2. Brent, do your users have internet access when they are connecting to your StoreFront environment? A couple of other catches are that a) the Surface client must trust the certificate on the StoreFront server, b) in addition it must be able to do a CRL check on that certificate.

    So for your internal cert, do your Surface clients trust this cert, ie is your internal root CA a trusted root cert on the Surface clients? And can they reach the CRL url for your internal CA?

    (See the yellow “Important” break-out box near the bottom of this page here –

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s