Pawel Serwan Blog

Citrix, Microsoft and other stuff

First Look: XenApp/XenDesktop 7.6 – Part 7 (StoreFront configuration)


We get to the number 7. It is long way behind us so let’s review what we did already:

In the first part – we installed first Delivery Controller and setup our new XenDesktop 7.6 site.

In the second part – we have configured first site.

In the third part – we prepared the template image of Windows Server 2012 R2 that will be used by MCS service for creation of new machines that will be hosting user desktops and applications.

In the fourth part – we upgraded XenApp 6.5 server to XenApp 7.6.

In the fifth part – we created machine catalogs and used previously prepared master image. We attached to the site as well upgraded XenApp 6.5 server.

In the sixth part – we delivered applications to the end users by creating delivery groups.

In the seventh part – we will configure StoreFront so that end users could launch their apps.

This time we will launch Citrix StoreFront console. You can as well do the same in Citrix Studio but let’s use StoreFront console.

sf1We would like to create a new store for our internal users. We click Create a Store and in the next window we need to provide the desired name of our new store.

sf2Next we need to add information about the Delivery Controller that should be contacted by StoreFront service.

sf3sf4We can as well choose which transport protocol we will use for our communication with StoreFront. As we should always secure our environment as much as possible we choose of course HTTPS. It is possible to change as well the port number but 443 is probably the most widely opened port in IT environments.

sf5Next we can configure Remote Access. As we do not have yet Netscaler in our environment we choose: None. But let’s check what other options are:

  • To make the store unavailable to users on public networks, select None. Only local users on the internal network will be able to access the store.
  • To make only resources delivered through the store available through NetScaler Gateway, select No VPN tunnel. Users log on directly to NetScaler Gateway and do not need to use the NetScaler Gateway Plug-in.
  • To make the store and all other resources on the internal network available through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel, select Full VPN tunnel. Users require the NetScaler Gateway Plug-in to establish the VPN tunnel.

sf6We can click Create now and the new store will be configured.

sf7Our new Test Lab Store was created. We can see the URL of our store that we can use to connect.

sf8Let’s go back to Citrix Studio and check our store. As you see it is visible on the list but we can see as well the information “No certificate associated with this StoreFront server”.

sf9We can luckily change it. To do so let’s open Internet Information Services (IIS) Manager and navigate to Server Certificates tab.

sf10Due to the fact that this is my test environment I will generate self-signed certificate. In your production environment you should of course use your domain Certificate Authority and generate server certificate with full FQDN.


Please ensure to place newly generated certificate under Personal certificate store. Do not use Web Hosting.

sf12Next we need to bind our new certificate with our Default Web Site.




All right – we have bond our certificate with our website. Let’s check now StoreFront console. As you see the information about missing certificate is gone now.

sf16Now we can add our StoreFront server to our XenApp/XenDesktop site. To do that we have to navigate to Citrix Studio->Configuration->StoreFront and click Add StoreFront Server.

sf17After that we need to provide the name of our StoreFront server.



All right. We have to do the last thing. Configure StoreFront server name on our Delivery Group. As you see right now there is none server defined.


We should now Edit Delivery Group and from the list choose our StoreFront server.

sf22Now everything looks good. We should be able now to launch our published app.


Let’s try then log to the StoreFront website.

sf25I’ve provided my credentials and I was welcomed with the below information.

sf31That’s strange 🙂 Everything should be fine now, but it isn’t. To be honest it took my a while to find a source of the problem. It occurred that this is because of my configuration: I have both Delivery Controller and StoreFront server installed on the same machine. So I have to share ports between XML service and IIS. To workaround that problem I had to change the transport type for my Delivery Controllers to HTTP. So my connection between StoreFront and XML service is not secured now – passwords are sent in clear text. That is of course not possible in production environment and that is why you should plan separate servers for each infrastructure role in your XenApp/XenDesktop site. So let’s fix my problem and try to launch our app. First we need to edit Delivery Controllers configuration under Stores tab in StoreFront console.


Then I need to change transport type to HTTP.

sf33As you see I’m sending now my passwords in clear text – for sure it is not recommended apart test environments 🙂

sf34Now let’s refresh our application list.

sf35And finally we can see our published apps. Let’s launch it!


sf38As a last step let’s check if our session is visible in Citrix Studio.

sf39Everything looks good 🙂 It was probably much harder to configure properly StoreFront than I thought at the beginning. But we succeeded! Right now we have fully operational XenApp/XenDesktop site with StoreFront. That’s all for today. See you in the part of our First Look series!


15 thoughts on “First Look: XenApp/XenDesktop 7.6 – Part 7 (StoreFront configuration)

  1. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 8 (Connection Leasing) | pawelserwan

  2. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 1 (Overview and Installation) | pawelserwan

  3. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 2 (First Site Configuration) | pawelserwan

  4. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 3 (template image creation) | pawelserwan

  5. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 4 (upgrade from XenApp 6.5) | pawelserwan

  6. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 5 (Machine Catalogs creation) | pawelserwan

  7. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 6 (Delivery Groups creation) | pawelserwan

  8. in order to get rid of the “There is no apps or desktop available for you at this time” and achive the HTTPS Transport Type in your XenApp / XenDesktop deployment, you have to follow following articles :
    1. get to know on which port the Broker service is listening on :
    2. configure your XML service on the delivery controlers – I’m assuming that you are doing it in old fashioned way, separate xml brokers in accordance with :
    3. in order to get the proper values for the commands mentioned in point three have to visit this registry locations on your Dc’s : the meantime execute the commands:
    netsh http show sslcert -> you should not be shown with any bindings on your DC’s, (if you had successfully created the certificate on your StoreFront server, then you will be shown on SF with coresponding bindings, but not on Delivery Controllers yet)
    5. still on the DC’s get the content from the registry keys:
    which is explained here :
    HKEY_CLASSES_ROOT\Installer\Products\ (there search for the Broker Service and get the parent hive GUID
    cert hash can be obtained from the certificate Thumbprint (mmc -> add snapin -> computer account -> Personal -> certificates (I assume that CA in your test domain is in place, and this was the way you get the certs on your DC’s)

    6*. execute the command mentioned in point 5 of this article on both DC’s -> restart the
    netsh http add sslcert ipport=:443 certhash= appid={GUID of the broker service from point 5}
    bare in mind that appid has to be in the strictly defined structure 8signs-4signs-4signs-4signs-12signs -> all with dashes (have add them manually, as it is represented in other manner in DC’s registry)

    I’ve encountered some inconveniences, even though restarting the Broker Service on both DC’s, it still did not work for me, so restarted my DC’s and, magically was able to launch my resources having the HTTPS Transport Type set in StoreFront studio.

    That’s it!


    • Hi Piotr,
      Thank you very much for this comment. It is really great to see that people read what wrote but it is just awesome to see that they are truly interested and involved and figure out how to fix the problems I met.
      I will test it your solution in my test environment. Thanks one more time Piotr. Cheers!


  9. Pingback: First Look: XenApp/XenDesktop 7.6 – Part 9 (PowerShell) | pawelserwan

  10. Pingback: First Look: XenApp/XenDesktop 7.6 – Series summary | pawelserwan

  11. Thanks to both of you, really great source of information 🙂


  12. Thanks for the great post. I ‘ve been struggling with an initial all-in-one test install. Your tip about HTTP for the DC transport type did the trick. I kept changing between HTTP and HTTPS for ALL connections/site etc. Changing only there worked great. If you’re going to Synergy 2017, contact me and I’ll buy you a beer scott at


    • thanks Scott! I’m really glad that it helped you solve your problem. Unfortunately I’m not going to Synergy this time:) maybe will have chance to go next year. All the best!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s