NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode

Step By Step Guide to Single Sign-On to Storefront in Clientless Access Mode

While playing in my Lab with the Citrix NetScaler Unified Gateway I encountered the following problem. Within Clientless Access mode I could not access the Storefront Server. To be honest it wasn’t working at all.
Google Chrome showed me the following screen

NetScaler Gateway Frame Error

While the Internet Explorer gave me at least an error.

NetScaler Gateway Frame Error

Since the ICA Proxy Mode worked very well I started digging 🙂  Thanks to Maik Steppeler from Citrix who helped with the last missing piece of this jigsaw! I assume you have the NetScaler Gateway & the Storefront up and running. I assume also that you have everything configured till a point where “it should be working” 😉 If not please ping me.

At first we start on the Storefront Server(s). We navigate to the web.config file within your Webstore Folder. Something like this C:\inetpub\wwwroot\Citrix\YourStoreWeb.

You will find the followings entry three times:

<add name=”X-Frame-Options” value=”deny” />
<add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” />

If you are only using the Internet Explorer you have to change the Value within “<add name=”X-Frame-Options” value=”deny” />” from deny to allow. If you and your user are also using Chrome or FireFox you will also have to change <add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” /> from none to self.

After editing it should look like this:

Storefront web.config Fix Frame Error

Now restart you IIS. Also make sure you enabled Remote Access in your Storefront Store.

Storefront Remote Access

We are now switching to the NetScaler. Within the NetScaler change to your Session Profile and enable “Single Sign-on to Web Applications” if this is not already enabled.

NetScaler Signle Sign-on to Web Applications

Go back to the Global Settings of the NetScaler Gateway and go to “Configure Domains for Clientless Access”

NetScaler Gateway Global Options

And under “Allow Domains” add your local Domain.

NetScaler Gateway Allow Domains Clientless Access

That’s it! If you now login and change to your Application section you will see your Applications published through Storefont without providing additional credentials!

Single Sign-On to Storefront in Clientless Access Mode


16 Responses to “NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode”

  1. This is amazing! Very cool and a bit of a shame citrix did not figure this out themselves!

  2. […] wizard in NetScaler 11 relies on Clientless Access and the built-in portal. See Jens Trendelkamp NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode to learn how to enable iFrame in StoreFront so it can be embedded in the Clientless Access […]

  3. Joe says:

    Thanks for this post.
    I can now see the storefront page, but SSO still does not work. it ask me to enter my credentials again. and when i enter it, i have an error : Your logon has expired. Please log on again to continue.
    Question : does the netscaler gateway settings in the storefront server need to be configured with the same external FQDN that the users type to connect?

  4. joe says:

    Thanks for this post.
    I can now see the storefront login page, but the SSO still does not work for me.
    And when i enter my credentials, i have an error : Your logon has expired. Please log on again to continue.
    Question: does the netscaler settings in the storefront server need to be configured with the FQDN external address that the users type to connect, please?

    Thanks for for help!

  5. Sean says:

    I’ve looked at you excellent article a few times in hope it may help me – it’s very informative but I’m stuck and wonder if you have any thoughts?

    Once Unified Gateway is setup, if a user chooses XenApp/XenDestkop apps from the main portal page they always go back to StoreFront and never get the choice to go to Clienteles access – how does one get a user back to the main choice page again?

  6. Chris says:

    Curious how you got the Storefront app tab added to the Client Access page. So far i’m unable to figure out how to setup that.

    • Chris says:

      So I’m able to get the tab to show but a blank screen. Made the changes to the SF web.conf file with no luck. I suspect I’m missing maybe something on the NetScaler side but can’t put my finger on it.

      • Chris says:

        Right after I type this I can now get the page to show up. Now running into the SSO issue one of the other folks talked about. It’s asking for login in the iframe.

        • Jens says:

          Hi Chris,

          could you please make sure you set every needed option which i described in this blog. Actually it sounds like you missed the “Configure Domains for Clientless Access”.

  7. Joe says:

    Hey, how did you get the application tab to show up, in my clientless it shows web and OWA but the application tab is not there

    when I login I see choices and I can choose XenApp but not when I choose clientless..

    • Anonymous says:

      I’m having the exact same problem I have followed a few resources online but can not get the application tab to showup. ??

  8. Anonymous says:

    Great post… im trying to achieve this also but having difficulty , i am unable to see the Application Link in the Navigation Pane that takes you to storefront , its simply not there ?

    Whats the trick to get it show up. I have followed all config as you described .


  9. Gehan De SIlva says:

    Hi Chris

    Top post, I have tried the configuration and can not get it going either 🙁 , what version of storefront are you using ? do you know if it works with Storefront 3.x ? . I logged a support call with Citrix to get some help but they said this integration was not supported between CVPN and Storefront …

    • Jens says:

      Hi Gehan,

      i have this setup running with Storefront 3.1 and 3.0. So these Version will defiantly work!
      As soon as i have some spare time i will try Storefront 3.5.


  10. Jabber says:

    ok so…..
    The issue for the Application tab missing is to go to the session profile, go to the published application tab, and where it says web interface mode, select global override and select normal.

    I too am having an issue with SSO, from the storefront page however. Using storefront 3,5

  11. Tesbor says:

    The American Dental Association recommends that people should brush their teeth twice a day for two minutes and floss daily to promote optimum oral health, to properly remove plaque and tartar build up on teeth and gums, and to remove food particles to prevent gingivitis and cavities.
    How to break up tartar on teeth

Leave a Reply

Your email address will not be published.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.