How to Configure SSL on XenDesktop Controllers to Secure XML Traffic

From XenDesktop Controller

IIS Installed on XenDesktop Controller

In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.

There are two ways to generate Server Certificates on IIS 7.x:

  • Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)

  • Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.

    User-added image

After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:

  1. Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.

    User-added image

  1. Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.

    User-added image

  1. Open Registry Editor on XenDesktop Controller and look for the following key name.


    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  1. Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.

    User-added image

  1. Change the XML service port.

    You can do this using PowerShell by running the following command:

    BrokerService –WiSslPort <port number>

    : If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.

IIS is not Installed on XenDesktop Controller

In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:

  • Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.

  • You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.

    Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.

    User-added image

After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate

The following is the command that you must use:

netsh http add sslcert ipport=<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}

To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:


User-added image

An alternative to obtain this certificate hash

  1. Open the Server Certificate and under the Details tab, select Thumprint:

    User-added image

  1. Obtain the GUID of the XenDesktop controller Citrix Broker Service.

  2. Open Registry Editor and select Find.

  3. Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOTInstallerProducts (see the following example):

    User-added image

  1. Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:

    Here is command to get the GUID

    Run the below command in Elevated command prompt on the DDC

    wmic product where “Name like ‘Citrix Broker Service'” get Name,identifyingnumber


    ​C: >netsh http add sslcert ipport= certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}

    : For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.

A successful bind looks as displayed in the following screen shot:

User-added image

From the Web Interface server

Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.

User-added image

Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).


  • No Related Posts

Leave a Reply