StoreFront 1912 LTSR

Configure the password expiry notification period


In multiple-server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

If you enable Citrix Receiver for Web site users to change their passwords At any time (as described in Manage authentication methods), you can configure whether local users are reminded that their passwords are about to expire when they log on. By default, the notification period for a user is determined by the applicable Windows policy setting.

To set a custom notification period for all users, you can edit the web.config file for the authentication service.

  • For a default store, edit C:\inetpub\wwwroot\Citrix\Authentication\web.config
  • For a custom store, edit C:\inetpub\wwwroot\Citrix\customAuth\web.config
  1. Search for the following explicit configuration:

    <explicitBL authenticator="defaultDelegatedAuthenticator" requireAccountSIDs="true"
      hideDomainField="true" allowUserPasswordChange="Never" showPasswordExpiryWarning="Windows"
      passwordExpiryWarningPeriod="10" explicitJsonEnabled="true"
      <domainSelection default="">
        <clear />
      <accountPolicy allowUnlockAccount="false" allowResetPassword="false" />
  2. To disable password expiry notifications, use showPasswordExpiryWarning="Never".
  3. To set a custom notification period (for example 10 days before password expiry), use showPasswordExpiryWarning="Custom" and passwordExpiryWarningPeriod="10".


StoreFront does not support Fine-Grained Password Policies in Active Directory.

Configure the password expiry notification period