Tag: Storefront

Citrix ADC, Storefront SSO

With the release of Citrix ADC 13.0 build 64.35, Citrix have made some change to the “Single Sign-on to Web Application” in the Session Profiles:

This is new and can affect the SSO to Citrix Storefront. In my test environment after upgrading to 13.0 build 64.35 I got this error when logging in to the Access Gateway:

 There were no errors in the event viewer of the Storefront Server to help me.

In the release note for ADC 13.0 build 64.35 Citrix state, the flowing:

Title: Support to disable the weak Basic, Digest, and NTLM authentication globally

The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication

– Digest Access Authentication

– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

[ NSAUTH-7747 ]

I got my test environment to work with a simple traffic profile and traffic policy.

Traffic profile:

Traffic policy:

Just bind the policy to the Access Gateway, and you will not get the Storefront error, 😊

CLI commands:

add vpn trafficAction traf_prof_sf_sso http -SSO ON

add vpn trafficPolicy traf_pol_sf_sso true traf_prof_sf_sso

bind vpn vserver <NAME> -policy traf_pol_sf_sso -priority 100 -gotoPriorityExpression END -type REQUEST

Citrix NetScaler Gateway Enterprise Edition, Storefront High Availability, Poor man’s solution

Belive it or not but some still have Citrix NetScaler Gateway Enterprise Edition running. The Citrix NetScaler Gateway Enterprise Edition is a special editions witch was made to replace the Access Gateway 5.x.

As you can see, many of the NetScaler features are not available:

Special the Load Balancing Feature can be a problem, as we the need another Load Balancing system to handle Storefront High Availability.

Well as the Load Balancing feature is not licensed is not the same as it is not there. It is, and we can use it, not to Load Balanced traffic between to Storefront server, but as failover. Many times this will be fine for the owners of the Citrix NetScaler Gateway Enterprise Edition.

I have to Severs with Storefront. To demonstrate the serveres is not in a Storefront Server Group as I need to different setup’s to identify witch server I am connected to.

The Server SF1 looks like this:

The Server XDC1 looks like this:

First, I create the SF1 and XDC1 Servers in the NetScaler configuration:

Then I create the Storefront monitor:

Then I create a service for each server. This has to be a service and not a service group, because we are using failover and not Load Balancing as the feature is not licensed.


As we are doing a Load Balancing Failover configuration, we start with the Virtual Server that will take over if the primary Server is not responding. This does not need to be direct accessible and that is why it does not have an IP address.

Then we create the Virtual Server that the clients are connecting too:


Just ignor the warnings, this is because the feature is not licensed, but when we test you will see that it is working as expected:

Now bind the Load Balancing Service to the Load Balancing Virtual Server:

This we know, J

Finely use the “Protection” to direct the traffic to the secondary storefront when the primary is down:

I know:

This end us up with this:

To test we connect to the virtual server of, and get the Storefront login site of the XDC1:

We will be getting this as long as the Storefront site is working on the XDC1. When I go and stop the Internet Information Service on the XDC1, the NetScaler service svc_xdc1_http goes down:

When I tests again I get the Storefront site on SF1, as the NetScaler sends the traffic to the Backup Virtual Server, because the primary service is down:



As for now, we can use the Load Balancing Failover even when the Load Balancing is not licensed. If Citrix have any plans to change this, we do not know. There in their rights to do that, so be aware of that.

In the example a have used HTTP, but it will work with SSL too. SSL I recommended as the users will type username and password and this we be sendt on the network in clear text if using HTTP.

I do not see it to be a problem that we are using failover and not real Load Balancing. Look at the flowing about max. Connections to a single Storefront Server: https://www.citrix.com/blogs/2015/06/30/storefront-scalability-update/

I sure, that the 50 Mb through put of the Citrix NetScaler Gateway Enterprise Edition will be the limit before the Storefront.


Powered by WordPress & Theme by Anders Norén