Requirements and Limitations of Authentication at StoreFront using NetScaler Gateway


NetScaler and StoreFront interop has undergone several improvements in the last few releases to reduce integration mistakes by administrator. Initial efforts were targeted to allow administrators to import NetScaler Gateway configuration into StoreFront through the management console with minimal administration effort.

The aim of this new integration improvement is to reduce the NetScaler configuration complexity by enabling NetScaler to authenticate users with StoreFront (via LDAP instead of the NetScaler Gateway performing an LDAP query to an Active Directory server. The NetScaler configuration will be reduced by providing a minimal amount of information: the FQDN of the StoreFront server, and the name of the domain where users authenticate.

A benefit of offloading authentication to StoreFront (instead of NetScaler) is that the Active Directory server does not need to be directly exposed to the DMZ, reducing the chance of an attack.

System Requirements

The following product versions support this integration:

  • NetScaler 12.0 or later
  • StoreFront 3.11 or later
  • Citrix Receiver for Windows 4.4 or later
  • iOS Receiver

Supported Environments

One of the key aspects of this feature is to provide a configuration experience where the administrator does not have to enter an LDAP configuration on the NetScaler Gateway side. By allowing StoreFront to perform the LDAP authentication, StoreFront attempts to verify the user credentials and gather the user’s UPN (User Principal Name) and Active Directory group information, without any specific configuration information about the customer’s domain structure and AD environment.

While this approach provides a good experience for the administrator, it has some limitations that need to be recognized. These limitations restrict the type of domain and Active Directory deployments that are supported.

The key limitations to the supported domain infrastructure are:

  • The StoreFront server must be in the same forest connected as the users’ domains.
  • The StoreFront server must be trusted by all other domains used for logon.
  • The use of the XML service on DDCs (XenApp/XenDesktop Delivery Controllers) to authenticate users is not supported.
  • The domain infrastructure must have DNS suitable for querying Active Directory through Domain Controllers and Global Catalog servers based upon the users’ domain names.
  • The resolved Active Directory servers should have a low latency to allow reasonable performance without having to manually configure specific servers to make queries to.

Basic Features Supported

These are the three features supported:

  • Username & Password Authentication – Verifies the user account information and support returning additional AD account information from Active Directory.
  • Elective Password Change – After a successful logon the user may choose to change their password.
  • Expiring Password Change – This is a combination of the other two independent flows coordinated by NetScaler. When a user initially logs on the response from StoreFront will include if their password is expiring, and the lifetime until it expires. NetScaler may choose to force the user to change their password at this point or just alert them to their imminent password expiry.

Additional Resources


Leave a Reply