How To - Troubleshoot StoreFront for Citrix Virtual Apps and Desktops

Scope

This article aims to assist in troubleshooting the various steps between authenticating to StoreFront and launching a published Virtual App or Desktop. 

 

Points Covered

1. Double Authentication

2. Redirect Loop

3. Incorrect URL in Browser after Authenticating

4. 404 Not Found

5. Idle Sessions

6. Launching an Application

7. Adding a Citrix Workspace Account

 

 

ESP Authentication

 

Double Authentication

Behavior

The client logs in to StoreFront using the Edge Security Pack (ESP). After authenticating, the client is greeted with the Citrix StoreFront login form.

Solution

1. Navigate to the ESP Settings section of the StoreFront Browser Auth ESP SubVS and ensure the Form POST Format STORENAME is correct. it should resemble the following: /Citrix/kempWeb/PostCredentialsAuth/Login

2. On your Citrix StoreFront servers, ensure HTTP Basic authentication is enabled (found under Authentication Methods). 

 

Redirect Loop

Behavior

If client logs in and the browser says the site is not behaving correctly, enable Developer Tools and check if a Redirect Loop is occurring. If yes, do the following.

Solution

Check if the client is receiving a "CTXAuthID" cookie. If they do not receive this cookie, they will consistently be sent into the StoreFront Browser Auth ESP SubVS and loop.

 

Incorrect URL in Browser after Authenticating

Behavior

After authenticating, the client has "External.Domain.com" in the browser.

Solution

Go to Rules & Checking > Content Rules > URL Modifications. Ensure the “Citrix_Redirect_X rule has the correct URL configured. By default, it is External.Domain.com/Citrix/STORENAMEWeb. Both the FQDN and URL STORENAME must be updated.

 

404 Not Found

Behavior

After authenticating, the browser returns "404 not found".

Solution

Ensure the Citrix_Browser_URL rule is configured correctly. It should rewrite from Root to Path. and should resemble the following. /Citrix/kempstoreWeb/. 

 

Idle Sessions

Behavior

Client tries to launch an application and the app just spins. Refreshing the browser takes the client back to the Kemp logon page.

Solution

1. Ensure StoreFront is version 2003 or greater.

2. Ensure your Logoff String is correctly configured. Navigate to Rules & Checking > Content Rules.

 

Launching Applications

When an application is launched, the LoadMaster rewrites the ICA file. If you Enable L7 Debug Traces you will see the below taking place. Three settings in the ICA file will be modified:

1. Address=192.168.10.136:1494 > SSLProxyHost=citrix.kempdemo.com:4432
2. GatewayAddress=citrix.kempdemo.com > Address=citrix.kempdemo.com
3. SSLEnable=Off > 'SSLEnable=On

 

This means that the client is going to initiate an external secure connection to citrix.kempdemo.com over port 4432. The customer must ensure that this port is open on the firewall.

 

KEMP kernel: L7: ffff888070cacc88: mangle_body called with 'Address=192.168.10.136:1494

KEMP kernel: L7: ffff888070cacc88: mangle_body returning 'SSLProxyHost=citrix.kempdemo.com:4432

2020-06-29T10:34:16+00:00 KEMP kernel: L7: ffff888070cacc88: mangle_body called with 'GatewayAddress=citrix.kempdemo.com

2020-06-29T10:34:16+00:00 KEMP kernel: '

2020-06-29T10:34:16+00:00 KEMP kernel: L7: ffff888070cacc88: mangle_body returning 'Address=citrix.kempdemo.com

2020-06-29T10:34:16+00:00 KEMP kernel: '

2020-06-29T10:34:16+00:00 KEMP kernel: L7: ffff888070cacc88: mangle_body called with 'SSLEnable=Off

2020-06-29T10:34:16+00:00 KEMP kernel: '

2020-06-29T10:34:16+00:00 KEMP kernel: L7: ffff888070cacc88: mangle_body returning 'SSLEnable=On

 

It is also possible that an internal FQDN will be returned instead of an IP address. To confirm, do the following:

1. Log in to StoreFront.
2. When it asks to detect Receiver, cancel and select Already Installed.
3. Click on an Application and download the ICA file.
4. Open using Notepad and note the Address= setting.

The above image shows the internal IP Address. So your Body Response rule must match the IP Address and Port Number.

Note: If Port ":1494" is not appended to the IP address or FQDN, remove it from each of the body response rules.

If the ICA file is correctly rewritten it should look like the following:

 

 

Endpoint Settings

Ensure the Virtual Services have the correct destination ports configured on the Virtual Service. Port TCP 2598 or Port 8008 for HTML5 as shown above.

 

Adding Citrix Workspace Account

If adding a User account to the Citrix Workspace Application and you see the below message, ask client to install Workspace 1818 and then upgrade to the latest version if required.