Citrix StoreFront – Few good things

On my recently completed project, I spent quite a bit of time debugging Storefront as I missed seemingly irrelevant but important practices. I also burnt my fingers few times because I failed to fully understand the basic principles of a redundant and fault tolerant Storefront implementation from a design perspective.

The following are the 3 important things that I learnt:

Always have two Storefront Server Groups and not ONE.


Previously, in a typical Web Interface implementation, we have two WI servers load balanced by a NetScaler LB. WI servers are nothing but IIS servers which are independent of each other. Each WI server needs to be configured individually and doesn’t have any dependency on the each other.

However, Storefront servers are different. Though Storefront is also an independent IIS server, but when joined in a server group propagates changes from the master Storefront server (the Storefront server on which the change is made and you choose to execute “Propagate changes”) to all other servers. This implies that if there is bad configuration on one of the Storefront server and you propagate changes from that server, all the servers in the server group gets affected and that makes the server group a single point of failure. And this happens more often than you think. Hence, there is a need for a secondary server group.

What’s a good practice?

  • Create two Storefront server groups with the same base url. Each server group is recommended to have 2 or more Storefront servers.
  • Create two NetScaler LB Service Groups for each of the Storefront server groups.
  • On the NetScaler LB VIP for Storefront, only one Service Group will be active at any point in time. The other Service Group will be a “Backup vServer” which will be active only when first Service Group is down.
  • If your environment does not have NetScaler, I suggest having a secondary URL for the secondary Storefront server group. For example, let the first Storefront server group have the base url and the second one being Though it may look untidy and may require users to key in another url on their browsers if their first url is not functional, it still allows them to login and consume their desktops and apps.

Adding Domain user to Local administrator group of Storefront Servers

Until recently I used to add users to “local administrators” group of a machine through “Restricted Groups” which is a horrible idea with bad consequences. Since it removes all other users from “local administrators” and only keeps what you specified in the “restricted groups”, it breaks Storefront as storefront places few built-in users into “local administrators”.

This is how the local administrators group of a Storefront server looks like soon after installation of Storefront.


As you can see there are accounts such as CitrixClusterService and CitrixConfigurationReplication that are local accounts also added automatically into the local administrators group during installation. These accounts must remain there for Storefront to function correctly. Using “Restricted Groups” removes these accounts and replaces them with only those domain user accounts that you specify. So refrain from using “Restricted Groups”.

Here the right way of adding a domain user as a local administrator on a machine. Use a GPO -> Computer Configuration -> Preferences. This way, it just adds users to the group and doesn’t replace the existing users who are already in the administrators group.

Base URL resolution

Storefront server group is always configured with a base url. Base url is just a FQDN such as that points to the NetScaler load balancing VIP for Storefront. This VIP will translate to one of the Storefront servers’ IP address.

But sometimes I ve observed that it may not resolve correctly resulting in the occasional dreaded error “Cannot complete request”. If you check the error logs, you will find that the Storefront “Discovery Service” has failed.

The Discovery Service can fail due to many reasons but more often than not it’s because of DNS resolution of the base url to one of the Storefront Servers. Discovery Service is nothing but a service that runs on every Storefront server that queries data about itself. It contacts the base url which returns the IP address of one of the Storefront servers’ IP address. It uses that IP address to fetch the required information.

But the simple fact is that all the information that a Storefront server ever needs is already known to itself and it doesn’t need to go via the long path of contacting the base url -> NS LB VIP -> Storefront IP.

So I suggest to you create a “hosts” file entry on every Storefront server for base url to point to its own IP address. For example, if the Storefront IP address is and base url is, I suggest create a hosts file entry for This way when the discovery service runs, it doesn’t need to go to the NetScaler LB VIP and then resolve to one of the Storefront servers, instead it can just get all the information from itself. Hence the discovery service of the Storefront Server does not depend on NetScaler or DNS for it’s functioning.

You must be wondering that DNS and NetScaler are perhaps fundamental blocks it is supposed to be working reliably all the time, which is true. But I was quite surprised by the number of times people make random configuration changes to DNS records, clearing caches, adding aliases, reusing URLs and so on. So fewer dependencies, better.

4 thoughts on “Citrix StoreFront – Few good things”

  1. mantap gan perkembangan teknologi sekarang, , klw kita gak ikuti bisa ketinggalan kereta , Aerith

    1. Thanks for responding Heiry. Appreciate. I dont believe any of what is mentioned above will be different for Storefront 3.x. Please let me know otherwise.

  2. Ensure that the ROOT cert and Intermediate Cert used for binding on Netscaler vServer i.e., End Entity Certificate -> intermediate 2 -> intermediate 1 ( cross sign certificate ) -> sha-1 root or sha-2 root are all installed on the storefront cert store (MMC- Certificate snapin- Trusted and intermediate store (Add respective files here)). This was missed out on my storefront servers. Its still intriguing why root and intermediate certs were not available on Storefront servers which should be pushed in the form of patching.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s