StoreFront 2.5 Gotcha

While the main new features of StoreFront 2.5 have been extensively covered (Citrix blog post here), I found a new addition has been quietly slipped in and because at the time of writing the Citrix eDocs site has not been updated for StoreFront 2.5, it caught me out.

If you have setup StoreFront and NetScaler Gateway before you will be familiar with the process of adding the NetScaler Gateway settings, which also adds the corresponding Authentication Method “Pass-though from NetScaler Gateway” under the Authentication pane.  Here’s the new bit though – in the Receiver for Web pane, there is now a separate Authentication Methods option just for Receiver for Web.  And when you add a NetScaler Gateway to your deployment and check the “Pass-though from NetScaler Gateway” authentication option under the Authentication pane, it doesn’t automatically enable the same option in the Receiver for Web pane.


For reference, the symptoms of not having this configured correctly are logging on to the NetScaler, then being prompted again for credentials by StoreFront.  However StoreFront still will not log you in, and you get a message in the event log of your StoreFront server similar to:

"Gateway data from the request and the authentication token are not matching. Request was made to store XYZ Apps."

So there you have it – make sure you check this option under both the Authentication and Receiver for Web panes, I hope the time I burned figuring this out will save someone else wasting their time!

NetScaler Gateway session profiles and Receiver for Windows RT clients

This one catches me out occasionally, because there’s only about three people in the world who use a Surface tablet and now and again one of those three people is a customer of mine.  Symptoms are an otherwise functioning Citrix XenApp or XenDesktop environment can be accessed (via a NetScaler) by any Receiver client with the exception of the Receiver for Windows RT client.  The usual symptoms are after entering the server URL and authentication credentials, you will get a blank “My Apps” screen and the progress/busy dots (I’m sure there’s an official name for them) just continually zip across the screen, the apps will never actually populate.

Receiver RT Screenshot

The issue lies with the URL in the Session Profile.  Your URL should look like the following screenshot:


Ie, it should read https://storefront.ActiveDirectoryFQDN.internal and there should be no trailing slash.  Bizarrely though, most Receiver clients will tolerate any of the following:

1: https://storefront.ActiveDirectoryFQDN.internal/Citrix/StoreName/
2: https://storefront.ActiveDirectoryFQDN.internal/Citrix/StoreName
3: https://storefront.ActiveDirectoryFQDN.internal/
or the correct
4: https://storefront.ActiveDirectoryFQDN.internal

The exception to this is the Receiver for Windows RT client, it works with the 2nd, 3rd and 4th options but not the first, displaying the behaviour described at the start of this post.  So either remove the trailing slash from your URL, or remove the sub-paths from the URL, and you should be good to go!

Winning with StoreFront!

OK, so winning might be stretching it a little bit, but I’ve been spending a lot of time on StoreFront lately and I’ve gathered a few tips and figured out a few things to help your StoreFront deployment go a little smoother.  On top of this these tips will (hopefully) make your StoreFront deployment work a little faster, but I still can’t get it to operate as quick as Web Interface.

What I won’t cover is how to set it up, load balance it, or front it with Access Gateway/NetScaler as there are plenty of guides already out there for that.  Some examples are here, here, here, and more – just google it.

Access Gateway builds

You need to use a .e, or “Enhancement” build to work properly with StoreFront.  As at time of writing, the recommended version is which you can download from Citrix here (login required).  In the future you will be able to use mainstream builds, however even with the initial 10.1 release of NetScaler this is not yet the case (AGEE feature is still in tech preview mode).


Ensure you have the right certificate on your StoreFront server(s) before you start installing as StoreFront will hard code it’s URL based on the certificate installed and bound to IIS.  Note that even if you have an Access Gateway with a “real” trusted certificate your devices will still need to trust the internal certificate on the StoreFront servers when they are inside your network.  iPads have an option to ignore trust issues with the certificate, but Android and Windows devices do not.

.Net Config Files

Get familiar with the Microsoft .Net config file structure as you will end up editing many of them.  A lot of options, even some that were previously in the GUI with Web Interface, are now controlled by options in the .config files and must be edited by hand which unfortunately makes them more prone to human error.

Aside from configuration options though, an important setting particularly if your StoreFront servers do not have direct internet access is the the following line:

<generatePublisherEvidence enabled="false"/>

As per CTX117273 make the change to the .Net config files in both C:\Windows\Microsoft.NET\Framework and C:\Windows\Microsoft.NET\Framework64.  Then search for every .config file under C:\Program Files\Citrix\Receiver StoreFront and C:\inetpub\wwwroot and check each one.  If it has the following lines

 <!-- Set enabled=false, if this machine does not have external access to the internet -->
 <generatePublisherEvidence enabled="true" />

then go ahead and change the “true” to “false”. This will disable the checking of the certificate used to sign the code, and part of this process does CRL lookups on the fly. If you server does not have internet access the whole process slows down waiting for the lookups to time out. Even if the server does have direct internet access, disabling all these checks seems to have a measurable improvement in the responsiveness of your StoreFront site.

Note that after you enable certain features, eg you enable the pass-through authentication method, a new folder will be created under StoreFront program files folder with an additional .config file so best to check for these regularly during the setup process and a final check when you are done configuring and installing all features.
In addition to these, you can disable the CRL check in the Internet control panel as per below.CRL Check

Miscellaneous settings

In the WINS tab under Advanced Settings on your network adapter, choose the “Disable NetBIOS over TCP/IP” option.

Change the Startup mode of the “Citrix Credential Wallet” service to “Automatic (Delayed Start)”.

Change PowerShell execution policy to “bypass” using the below command.  Similar to the CRL check, it disables checking for digitally signed scripts and associated CRL lookups.

Set-ExecutionPolicy -scope LocalMachine bypass


Use DebugView.  It’s a handy tool that will tell you why something is failing when you get no feedback from the console or event viewer.  The logfiles it generates can be pretty large, but it’s worth combing through to see what’s going on.  You can download it from the Microsoft SysInternals page here.


I think that’s about it!  Not all these tips will have an effect in every environment, and please understand there is a security risk that comes with disabling CRL checks.  However I’ve had much greater success with StoreFront with making all the changes here so now they are part of my standard build procedure for new installs.

If you’ve found something that works for you and I haven’t mentioned it here, please leave a comment and I’ll update the post.

UPDATE for StoreFront 2.0

Fortunately for those installing StoreFront 2.0, Citrix have made life a little easier and in every .config file I have looked at so far (generated by StoreFront), the generatePublisherEvidence setting is already set to “false”.

Everything else I’ve written here still applies, including the generatePublisherEvidence setting in Aspnet.config files under the various C:\Windows\Microsoft.NET folders.  Note also a new KB article from Citrix on speeding up the first time login for StoreFront, CTX137400.

Step by Step – Installing NetScaler Green Bubble Theme with no internet access

For those new to NetScaler and unix (like me), this might save you some time.  In attempting to follow this Citrix blog post on uploading the Green Bubble theme (, I found the instructions are high level and assume you already know your way around a NetScaler :)

I spent nearly an hour messing around trying to determine the exact commands to install this theme without Internet access, so to save others the time and frustration here are the step by step commands.

1. Download the script file and theme to your PC, eg and
2. SSH to your NetScaler (ie use Putty) and enter the shell command
3. Run the following command:

mkdir /var/vpn/customizations

4. Use WinSCP to connect to your NetScaler. Copy the downloaded script file (GreenBubble.txt) to the /root folder and the GreenBubble1.gz file to /var/vpn/customizations
5. Run the following commands:

cd /var/vpn/customizations
gunzip GreenBubble1.gz
tar -xvf GreenBubble1
cd /root
mv GreenBubble.txt
chmod +x

6. Hopefully now you have the theme installed, watch for errors in the script. A successfull output should look like this:

+ basename ./ .sh
+ SKINNAME=GreenBubble1
+ SKINARC=GreenBubble1.gz
+ SKINDIR=/var/vpn/customizations
+ DL=/tmp
+ EPA=ns_gui/epa/epa.html
+ [ -d /var/vpn/customizations/GreenBubble1 ]
+ fgrep var nsversion= /var/vpn/customizations/GreenBubble1/ns_gui/epa/epa.html
+ cut -d -f2
+ echo
+ tr , .
+ nsapimgr -d hwinfo
+ grep Version:
+ sed -e s/Version: NetScaler NS// -e s/: Build /\./ -e s/, Date.*//
+ cut -d. -f1,2,3,4
+ echo
+ tr . ,
+ COMMAVER=10,0,54,7
+ [ != ]
+ cp -rf /var/vpn/customizations/GreenBubble1/ /netscaler/
+ cp ./ /var/vpn/customizations
+ chmod 755 /var/vpn/customizations/
+ touch /nsconfig/
+ chmod 755 /nsconfig/
+ fgrep -q /var/vpn/customizations/ /nsconfig/

7. Reboot and enjoy green bubbly goodness :)

Note that if you have two NetScalers in a HA pair, you will need to perform these steps on both units.