Product Documentation

Configure StoreFront using the configuration files

Oct 06, 2015

Enable ICA file signing

StoreFront provides the option to digitally sign ICA files so that versions of Citrix Receiver that support this feature can verify that the file originates from a trusted source. When file signing is enabled in StoreFront, the ICA file generated when a user starts an application is signed using a certificate from the personal certificate store of the StoreFront server. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server. The digital signature is ignored by clients that do not support the feature or are not configured for ICA file signing. If the signing process fails, the ICA file is generated without a digital signature and sent to Citrix Receiver, the configuration of which determines whether the unsigned file is accepted.

To be used for ICA file signing with StoreFront, certificates must include the private key and be within the allowed validity period. If the certificate contains a key usage extension, this must allow the key to be used for digital signatures. Where an extended key usage extension is included, it must be set to code signing or server authentication.

For ICA file signing, Citrix recommends using a code signing or SSL signing certificate obtained from a public certification authority or from your organization's private certification authority. If you are unable to obtain a suitable certificate from a certification authority, you can either use an existing SSL certificate, such as a server certificate, or create a new root certification authority certificate and distribute it to users' devices.

ICA file signing is disabled by default in stores. To enable ICA file signing, you edit the store configuration file and execute Windows PowerShell commands. For more information about enabling ICA file signing in Citrix Receiver, see ICA File Signing to protect against application or desktop launches from untrusted servers.

Note: The StoreFront and PowerShell consoles cannot be open at the same time. Always close the StoreFront admin console before using the PowerShell console to administer your StoreFront configuration. Likewise, close all instances of PowerShell before opening the StoreFront console.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Ensure that the certificate you want to use to sign ICA files is available in the Citrix Delivery Services certificate store on the StoreFront server and not the current user's certificate store.
  2. Use a text editor to open the web.config file for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\storename\ directory, where storename is the name specified for the store when it was created.
  3. Locate the following section in the file.
    <certificateManager> 
      <certificates> 
        <clear /> 
        <add ... /> 
        ... 
      </certificates> 
    </certificateManager> 
    
  4. Include details of the certificate to be used for signing as shown below.
    <certificateManager> 
      <certificates> 
        <clear /> 
        <add id="certificateid" thumb="certificatethumbprint" /> 
        <add ... /> 
        ... 
      </certificates> 
    </certificateManager> 
    

    Where certificateid is a value that helps you to identify the certificate in the store configuration file and certificatethumbprint is the digest (or thumbprint) of the certificate data produced by the hash algorithm.

  5. Locate the following element in the file.
    <icaFileSigning enabled="False" certificateId="" hashAlgorithm="sha1" /> 
    
  6. Change the value of the enabled attribute to True to enable ICA file signing for the store. Set the value of the certificateId attribute to the ID you used to identify the certificate, that is, certificateid in Step 4.
  7. If you want to use a hash algorithm other than SHA-1, set the value of the hashAgorithm attribute to sha256, sha384, or sha512, as required.
  8. Using an account with local administrator permissions, start Windows PowerShell and, at a command prompt, type the following commands to enable the store to access the private key.
    Add-PSSnapin Citrix.DeliveryServices.Framework.Commands 
      $certificate = Get-DSCertificate "certificatethumbprint" 
     
    Add-DSCertificateKeyReadAccess -certificate $certificates[0] -accountName “IIS APPPOOL\Citrix Delivery Services Resources” 
    

    Where certificatethumbprint is the digest of the certificate data produced by the hash algorithm.

Configure communication time-out duration and retry attempts

By default, requests from StoreFront to a server providing resources for a store time out after 30 seconds. The server is considered unavailable after two unsuccessful communication attempts. To change these settings, you edit the configuration file for the store.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the web.config files for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\Authentication\ and C:\inetpub\wwwroot\Citrix\storename\ directories, respectively, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <farmset ... serverCommunicationAttempts="2" communicationTimeout="30" 
      connectionTimeout="6" ... >
    
  3. Change the value of the serverCommunicationAttempts attribute to the set the number of unsuccessful communication attempts before the server is considered to be unavailable. Use the communicationTimeout attribute to set the time limit in seconds for a response from the server. Set the time limit in seconds for StoreFront to resolve the address of the server by changing the value of the connectionTimeout attribute.

Configure the password expiry notification period

If you enable Citrix Receiver for Web site users to change their passwords at any time, local users whose passwords are about to expire are shown a warning when they log on. By default, the notification period for a user is determined by the applicable Windows policy setting. To set a custom notification period for all users, you edit the configuration file for the authentication service.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the web.config file for the authentication service, which is typically located in the C:\inetpub\wwwroot\Citrix\Authentication\ directory.
  2. Locate the following element in the file.
    <explicitBL ... allowUserPasswordChange="Always" 
      showPasswordExpiryWarning="Windows" passwordExpiryWarningPeriod="10" ... >
    
  3. Ensure that the allowUserPasswordChange attribute is set to Always to enable password expiry notifications. Change the value of the showPasswordExpiryWarning attribute to Custom to apply a specific password expiry notification period to all users. Use the passwordExpiryWarningPeriod attribute to set the password expiry notification period in days. Citrix Receiver for Web site users connecting from the local network whose passwords are due to expire within the specified time period are shown a warning when they log on.

Disable file type association

By default, file type association is enabled in stores so that content is seamlessly redirected to users' subscribed applications when they open local files of the appropriate types. To disable file type association, you edit the store configuration file.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the web.config file for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\storename\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <farmset ... enableFileTypeAssociation="on" ... >
    
  3. Change the value of the enableFileTypeAssociation attribute to off to disable file type association for the store.

Enable socket pooling

Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a pool of sockets, rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance, particularly for Secure Sockets Layer (SSL) connections. To enable socket pooling, you edit the store configuration file.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the web.config file for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\storename\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file.
    <farmset ... pooledSockets="off" ... > 
    
  3. Change the value of the pooledSockets attribute to on to enable socket pooling for the store.

Customize the Citrix Receiver logon dialog box

When Citrix Receiver users log on to a store, no title text is displayed on the logon dialog box, by default. You can display the default text “Please log on” or compose your own custom message. To display and customize the title text on the Citrix Receiver logon dialog box, you edit the files for the authentication service.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the UsernamePassword.tfrm file for the authentication service, which is typically located in the C:\inetpub\wwwroot\Citrix\Authentication\App_Data\Templates\ directory.
  2. Locate the following lines in the file.
    @* @Heading("ExplicitAuth:AuthenticateHeadingText") *@
    
  3. Uncomment the statement by removing the leading and trailing leading @* and trailing *@, as shown below.
    @Heading("ExplicitAuth:AuthenticateHeadingText") 
    

    Citrix Receiver users see the default title text “Please log on”, or the appropriate localized version of this text, when they log on to stores that use this authentication service.

  4. To modify the title text, use a text editor to open the ExplicitAuth.resx file for the authentication service, which is typically located in the C:\inetpub\wwwroot\Citrix\Authentication\App_Data\resources\ directory.
  5. Locate the following elements in the file. Edit the text enclosed within the <value> element to modify the title text that users see on the Citrix Receiver logon dialog box when they access stores that use this authentication service.
    <data name="AuthenticateHeadingText" xml:space="preserve"> 
      <value>My Company Name</value> 
    </data>
    

    To modify the Citrix Receiver logon dialog box title text for users in other locales, edit the localized files ExplicitAuth.languagecode.resx, where languagecode is the locale identifier.

Prevent Citrix Receiver for Windows from caching passwords and usernames

By default, Citrix Receiver for Windows stores users' passwords when they log on to StoreFront stores. To prevent Citrix Receiver for Windows, but not Citrix Receiver for Windows Enterprise, from caching users' passwords, you edit the files for the authentication service.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Use a text editor to open the inetpub\wwwroot\Citrix\Authentication\App_Data\Templates\UsernamePassword.tfrm file.
  2. Locate the following line in the file.
    @SaveCredential(id: @GetTextValue("saveCredentialsId"), labelKey: "ExplicitFormsCommon:SaveCredentialsLabel", initiallyChecked: ControlValue("SaveCredentials"))
    
  3. Comment the statement as shown below.
    <!-- @SaveCredential(id: @GetTextValue("saveCredentialsId"), labelKey: "ExplicitFormsCommon:SaveCredentialsLabel", initiallyChecked: ControlValue("SaveCredentials")) -->
    

    Citrix Receiver for Windows users must enter their passwords every time they log on to stores that use this authentication service. This setting does not apply to Citrix Receiver for Windows Enterprise.

Warning

Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.

By default, Citrix Receiver for Windows automatically populated the last username entered. To supress population of the username field, edit the registry on the user device:

  1. Create a REG_SZ value HKLM\SOFTWARE\Citrix\AuthManager\RememberUsername.
  2. Set its value “false”.

Configure server bypass behavior

To improve performance when some of the servers providing resources become unavailable, StoreFront temporarily bypasses servers that fail to respond. While a server is being bypassed, StoreFront ignores that server and does not use it to access resources. Use these parameters to specify the duration of the bypass behavior:

  • bypassDuration specifies the time in minutes that StoreFront bypasses an individual server after a failed attempt to contact that server. The default is 60 minutes.
  • allFailedBypassDuration specifies a reduced duration in minutes that StoreFront uses instead of bypassDuration if all servers for a particular Delivery Controller are being bypassed. The default is 0 minutes.

Considerations when specifying allFailedBypassDuration

Setting a larger allFailedBypassDuration reduces the impact of unavailability of a particular Delivery Controller; however, it has the negative effect that resources from this Delivery Controller are unavailable to users for the specified duration after a temporary network outage or server unavailability. Consider the use of larger allFailedBypassDuration values when many Delivery Controllers have been configured for a Store, particularly for nonbusiness-critical Delivery Controllers.

Setting a smaller allFailedBypassDuration increases the availability of resources served by that Delivery Controller but increases the possibility of client-side timeouts if many Delivery Controllers are configured for a store and several of them become unavailable. It is worth keeping the default 0-minute value when not many farms are configured and for business-critical Delivery Controllers.

To change the bypass parameters for a Store

Important: In multiple-server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so the other servers in the deployment are updated.
  1. Use a text editor to open the web.config file for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\storename\ directory, where storename is the name specified for the store when it was created.
  2. Locate the following element in the file for the Delivery Controller you want to configure:
    <farm name=”deliverycontrollername” ... allFailedBypassDuration=”0” ... > 
    
  3. Change the value of the allFailedBypassDuration attribute to the maximum number of minutes that StoreFront should allow all servers from the specified Delivery Controller to be bypassed.
  4. If desired, add (or update if the attribute is already present) the bypassDuration attribute to specify the number of minutes an individual server should be bypassed when StoreFront fails to contact that server.