As a freelancer, I encounter quite often Citrix pitfalls customer tend to step in. Since I have seen them many times I can quickly fix them to the surprise of the administrator in charge.
Now here is a list of common Citrix pitfalls:
- After the setup of StoreFront you or anyone else cannot login. Delivery Controller are set and everything looks fine.
Most common issue: By default, the Delivery Controller TCP port is set to 443 and NOT port 80! XenDesktop Delivery Controller or XenApp are not using 443 by default and therefore will not response to requests.
Quick Fix: Change to HTTP and TCP port 80 in the Delivery Controller properties
Best Fix: Especially if you run StoreFront on the Delivery Controller - Enable SSL/443 with either a private or public certificate.
- Intermediate issues launching apps through Netscaler Gateway with StoreFront or Webinterface
Most common issue: The Secure Ticket Authority (STA) server are not the same in Netscaler Gateway and StoreFront/Webinterface
Quick Fix: Use the EXACT same STA server in Gateway and SF/WI
Note: I advise you to use FQDN for the STA servers and don't change the default port 80 for the Citrix XML service
- After authenticating against Netscaler Gateway you get the famous StoreFront "cannot complete the request" error. You worked through the excellent CTX207162 article but still no go.
Most common issue: In StoreFront you have configured Trusted Domains example MyDomain.com so user can login with just their name. Now in the Netscaler Gateways session profile you have set the Singe Sign-On (sso) Domain to MyDomain and therefore the send sso request cannot complete.
Quick Fix: Add MyDomain to the Trusted Domains in StoreFront or change it to MyDomain.com
Note: Check the Citrix Delivery Services eventlog under Applications and Services Logs
- Using Netscaler VPX to loadbalance backend SSL systems like Outlook Webaccess without SSL offload. You find that the loadbalancer shows as offline.
Most common issue: Virtual Netscaler Appliances (VPX) only support 2048 key size on backend systems and if higher fails!
Quick Fix: Switch to SSL offload and can be quite simple for some backend systems
Best Fix: Change the backend certificate down to 2048 key size
Note: Check the monitor error message and it should say something with a sync issue
Citrix eDocs: Netscaler SSL FAQ
- You noticed that the Netscaler (Gateway) time is out of sync and therefore you run into some issues. You confirmed that a NTP server is set
Most common issue: The NTP sync is not activated. After you set the NTP server you MUST enable the sync
Quick Fix: Go to NTP service and enable the sync
Note: If the time is still not sync then make sure on the Netscaler CLI that the NTP deamon was actually started.
Link: Read my post about the importance of time in Netscaler HA setup
- Using the XenMobile Wizard in Citrix Netscaler you select SSL offload to the XenMobile server. When done, things don't work.
Most common issue: SSL offload is by default NOT enabled on the XenMobile server and the Wizard is not pointing out that fact
Quick Fix: In the XenMobile server CLI enable SSL offload
Best Fix: Use SSL for XenMobile
Note: For a higher security you should use SSL and the reason why Citrix disabled SSL offload by default
- You have problems to get the right VMWare vCenter root certificate to get things working in XenDesktop Hosting?
Most common issue: Didn't look close enough ;-)
Quick Fix: At the vCenter login page you find the root certificate on the right side. Download the file and rename it to ZIP. Unzip the file and rename the 01 file to cer. That's the root certificate that you need
Note: Check the certificate for the FQDN, since newer have normally also the server FQDN in it.
- You are using XenMobile SecureHub to launch HDX sessions but you cannot find HDX settings for display etc.
Most common issue: Even though Receiver (required for HDX) with SecureHub doesn't need to be configured you must setup an account to get to the HDX settings!
Quick Fix: As far as I know you must add an account, so no quick fix.
Note: Not a pitfall rather than something Citrix forgot about and should have been fixed years ago.
- Single Sing-On not working
Most common issue: You didn't enable XML Trust
Quick Fix: With XenDesktop 7.x you enable the trust through Powershell
Note: Up to XenApp 6.5 you could enable the trust simply in the console
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
- Multiple session launch with same Active Directory account
Most common issue: You must enable multiple session
Quick Fix: With XenDesktop 7.x you enable multi sessions through Powershell
Note: Up to XenApp 6.5 you could enable multi session simply in the console
Set-BrokerEntitlementPolicyRule <Delivery Group Name> -SessionReconnection DisconnectedOnly
- The start of Citrix sessions via Web Interface or StoreFront takes a long time or doesn't work at all.
Most common issue: A proxy server is used and the Citrix Client picks up the settings from the browser
Quick fix: Set the proxy entry within the default.ica to NONE assuming connections are internal only.
Note: When using a proxy server keep a good look on Citrix related things. With Webinterafce proxy could be set in the console
CTXKB: StoreFront Client Proxy Configuration - https://support.citrix.com/article/CTX136516
You have something to add? Please comment below!