Tutorial: Implementing a secure StoreFront Website on server 2012R2 behind NetScaler

3 Jun

At the moment I’m preparing for my CCE exam and one of the things I like to do is perform several setups. For this tutorial I implemented a XenDesktop & XenApp 7.5 server. A StoreFront server and a virtual NetScaler with a developer license. I already have in place a CA for my self signed certs, the domain joined machines automatically trust the Root CA cert and a Domain Controller is in place.

The goal of the tutorial is to get the StoreFront websites running on SSL. The XML traffic should be encrypted and the NetScaler has to connect to the StoreFront servers through SSL. Let’s start!


First you need computer certificates on your delivery controllers. Assuming your Certificate Authority is online and configured properly this isn’t a hard job. Fire up the Microsoft Management Console (mmc). Select the option to add a snap-in and add the Certificates snap-in


Choose to manage the certificates of the computer account. Next select the local computer.



Unfold the Personal store and rightclick certificates. Select request a new certificate


Select your AD Enrollment Policy and choose to enroll for a Computer certificate (this template is configured for Server Authentication and Client authentication)



You have to repeat these steps for all your Storefront and Delivery Controllers servers.


To enable SSL (HTTPS) on your StoreFront Website you need to fire-up IIS and edit the bindings of the StoreFront site. In my case the StoreFront site is part of the default website. Open up the bindings of the default website and add or edit the 443 (https) binding. Make sure to select the correct SSL certificate.


Now that your IIS website is configured you need to configure the Baseurl of your StoreFront. Rightclick Server Group and select Change Base URL. Then configure the correct URL (must correspondent with the Common Name of the certificate).



You can verify the service uses SSL if you select the Stores section.



Failed to run discovery
Citrix.Web.DeliveryServicesProxy.ConfigLoader.DiscoveryServiceException, ReceiverWebConfigLoader, Version=, Culture=neutral, PublicKeyToken=null
An error occured while contacting the Discovery Service
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.AppendConfigurationFromDiscoveryService(WebReceiverConfigSection section)
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.RunDiscovery(WebReceiverConfigSection configSection)
at Citrix.Web.Proxy.Filters.DiscoveryComplete.OnAuthorization(AuthorizationContext filterContext)

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Url: https://<>/Citrix/<>
ExceptionStatus: TrustFailure
at System.Net.HttpWebRequest.GetResponse()
at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(String url, String token, HttpRequestParameters options, Object requestData, CookieContainer cookieContainer)
at Citrix.DeliveryServicesClients.Discovery.RequestHandler.DiscoveryHttpRequestHandler.GetDocument(String url)
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.AppendConfigurationFromDiscoveryService(WebReceiverConfigSection section)

Solution: This was a little bit of a stupid mistake. I did not use the FQDN in the BaseURL. I used https://server instead of https://server.domain.local and got this big red event in the eventlog. Changing the BaseURL that it corresponds with the common name on the certificate fixed this error.


Well this isn’t just as simple as selecting HTTPS when configuring your Delivery Controllers. I got several errors trying to get this to work. You will get a message after authenticating on your StoreFront site telling you that ‘There are no desktops or applications available’.


The errors I ran in to:

An SSL connection could not be established: The server sent a security certificate identifying external.domain.name, external.domain.name, external.domain.name, but the SSL connection was to pc1.domain.local.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Solution: In this case another IIS website was listening on port 443 and had another SSL certificate bound to it. Remove the binding or configure the website on a different IP Address (not * or

An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Solution: I only found a way to work around this, but I think it should be fixed by Citrix. I applied a GPO to my Delivery Controllers that enabled SSL Cipher Suite Order. Just enable it (no modifications) and reboot the servers. In my case that fixed it.



All the Citrix XML Services configured for farm XenApp 7.5 failed to respond to this XML Service transaction.

Solution: This was the most complicated one to fix. Altough my Broker services we’re listening on port 443 I still got this error. To fix you need a few things. First you need the GUID of the Broker service. Fire up a command prompt and run the command wmic product list You will see something like:

Citrix Broker Service {06CA1147-C38E-4196-8F96-6813444B60C9}. You need part between accolades.

Next you need the thumbprint of your machine certificate. Use the same procedure to fire up the certificates mmc and open the machine certificate. On the details tab you will find the thumbprint. Copy/paste it to notepad and remove the spaces. Beware of a questionmark copying the thumbprint to DOS.


Fire up an administrative prompt and run the following commands. Replace with your own IP address. The binds all 443 traffic to the broker service.

netsh http add sslcert ipport= certhash=0038eb3cbb2f82a02846c95bc4afa9ea3f8bf742 appid={06CA1147-C38E-4196-8F96-6813444B60C9}
netsh http add sslcert ipport= certhash=0038eb3cbb2f82a02846c95bc4afa9ea3f8bf742 appid={06CA1147-C38E-4196-8F96-6813444B60C9}

To finish up you need to add a StoreFront server in the Citrix Studio for XenApp or XenDesktop. Don’t forget to use https 🙂


That’s it. You should have a working encrypted internal environment. Now for the External Part!


Publishing the StoreFront externally via NetScaler requires some configuration in StoreFront and on the NetScaler. First Storefront:

In the NetScaler Gateway section of StoreFront configure a new NetScaler. Make sure the NetScaler Gateway URL (which is the URL you’ll use to connect to the NS externally) matches the common name of the certificate you’re using on your NetScaler. This can ofcourse be a self-signed, but it’s easier to purchase one from a commercial CA. Configure the NS version and the logon type. Now the important part is the callback URL. This can be the same URL you are using as the NetScaler Gateway URL as long as the StoreFront server can reach that IP address to complete authentication.

If you are in a setup where your NetScaler is in DMZ and your SF server cannot reach the NetScaler your authentication will fail. What you can do (there might be other options) to work around this is create an additional NetScaler Gateway vServer for local use. For instance if your public NetScaler is reached with netscaler.domain.com on public IP 123.456.789.123 and has the certificate netscaler.domain.com – create an additional NetScaler Gateway vServer with private IP eg. assign the same name. Make sure 443 is allowed through your internal firewall and make sure the routing is in place so your StoreFront knows the route to your NetScaler. On this additional vServer you just assign the same certificate as you use externally. On your StoreFront server you can then add a host in your hosts file netscaler.domain.com with IP Now you can use netscaler.domain.com as callback URL and the SF can reach the NetScaler. Your authentication will succeed.


Next configure your STA. Make sure you use the same STA on your NetScaler and ofcourse https 🙂


Finally configure authentication. in the Authentication section of StoreFront.


And last but not least….


I will only cover the NetScaler Gateway configuration in this section. Your NetScaler needs to be up and running and has DNS configured. It should be able to reach your domain controller and your storefront server on https. You have a (self signed or commercial) certificate in place and have reserved a public IP address for the NSGW or configured eg. port forwarding (like I did in my case – just forward 443 to a private IP). And of course the NetScaler should be licensed.

Ok first configure an LDAPS authentication server. Configure the BaseDN to the OU where your users reside. Configure a read-only account to read the AD. Configure port 636 and do not forget to configure SSL.


Create the authentication policy for the LDAPS serer that just says ns_true (authentication must pass)


Next navigate to the Session Policies and add a Session Profile. In the security section select secure browse (not particularly necessary but hey, it’s secure). Also set the default authorization action to allow.


In the published application tab configure ICA Proxy (ON), and the https address of your StoreFront webserver. Also configure a Single Sign-on Domain. Eg. if your domain is domain.local just enter DOMAIN.


And again add a Session Policy that just says ns_true (applies to all sessions)


Now is time to add the NetScaler Gateway vServer. Add the vServer. Configure the IP. Use protocol SSL and select the certificate.


On the authentication tab insert your authentication policies and don’t forget to enable authentication.


On the policies insert your session policy


On the published applications tab add your STA


And there you go. You should now have a working StoreFront environment that you can externally reach through your NetScaler!


Leave a Reply