How to Change the Server Base URL from HTTP to HTTPS on Citrix StoreFront

This workaround applies to customers who have installed and configured Citrix StoreFront without a server certificate. When the server certificate is installed, there is a procedure to follow to ensure StoreFront and its services use a secure connection moving forward.

Note: It is assumed that the IT Administrator has generated and installed a server certificate on Citrix StoreFront server before running this procedure. In addition, an IIS binding is created over HTTPS (443). Therefore, any new connection to IIS is secured.

Example:

User-added image

If you have not installed and configured an SSL certificate for StoreFront, refert to CTX200292How to Generate and Install an SSL Certificate on a StoreFront Server for HTTPS connections for detailed instructions.

Citrix StoreFront 3.x

Complete the following steps to change the base URL:

  1. Go to StoreFront and click Server Group on the left panel.
  2. Click Change Base URL on the right panel.
  3. Type the base URL and click OK.

User-added image


Citrix StoreFront 2.x

Complete the following steps to change the base URL:

  1. Go to StoreFront and click Server Group on the left panel.

  2. Click Change Base URL on the right panel.

    User-added image

  3. Type the base URL and click OK.

Citrix StoreFront 1.2

Notes:

  • Before running this procedure, it is recommended to back up the StoreFront server by taking a snapshot (if it is a virtual server).

  • Run the PowerShell with Administrator rights and Unrestricted when executing the command.

  • When the PowerShell command is executed, Administrators can change the execution policy back to Restricted. For more information on how to change the Windows Execution Policy settings, refer Using the Set-ExecutionPolicy Cmdlet.

Complete the following steps to change the base URL:

  1. Run PowerShell command using the Administrator rights.

  2. In the command prompt, type C:Program FilesCitrixReceiver StoreFrontscripts.

  3. Type Get-ExecutionPolicy.

  4. If the result is Restricted, type Set-ExecutionPolicy Unrestricted to change the result to Unrestricted.

    Example:

    PS C:Program FilesCitrixReceiver StoreFrontscripts> Get-ExecutionPolicyRestrictedPS C:Program FilesCitrixReceiver StoreFrontscripts> Set-ExecutionPolicy UnrestrictedPS C:Program FilesCitrixReceiver StoreFrontscripts> Get-ExecutionPolicyUnrestricted

    User-added image

  5. After the execution policy is set to Unrestricted, type the following command:

    PS C:Program FilesCitrixReceiver StoreFrontscripts> .SetHostBaseUrl.ps1 https://storefront.example.com

    Example after running the PowerShell command:

    PS C:Program FilesCitrixReceiver StoreFrontscripts> .SetHostBaseUrl.ps1 "https://storefront.example.com"Existing HostBaseUrl - http://storefront.example.com/New HostBaseUrl - https://storefront.example.com/Processing WebApplication : 1/Citrix/Authentication- setting routing HostBaseUrl- checking TokenManager service Authentication Token Producer- checking allowed audiences- replacing audience http-storefront.example.com: http://storefront.example.com/- updating token issuers- updating http://storefront.example.com/Citrix/Authentication/auth/v1/protocols- checking TokenManager service Default Token Validation Service- checking allowed audiences- replacing audience http-storefront.example.com: http://storefront.example.com/- updating token issuers- updating http://storefront.example.com/Citrix/Authentication/auth/v1/tokenProcessing CredentialWallet : CredentialWalletProcessing WebApplication2 : 1/Citrix/Roaming- setting routing HostBaseUrl- checking TokenManager service Roaming Consumer- checking allowed audiences- replacing audience http-storefront.example.com: http://storefront.example.com/- updating token issuers- updating http://storefront.example.com/Citrix/Authentication/auth/v1/token- checking internal beacons- updating beacon 4af43272-2c79-457b-ad38-972e95ea8d8c- checking service records- updating Store:- checking internal beacons- updating beacon 4af43272-2c79-457b-ad38-972e95ea8d8cProcessing WebApplication3 : 1/AGServices- setting routing HostBaseUrlProcessing WebApplication4 : 1/Citrix/MyApps- setting routing HostBaseUrl- checking TokenManager service Dazzle Resource Consumer- checking allowed audiences- replacing audience http-storefront.example.com: http://storefront.example.com/- updating token issuers- updating http://storefront.example.com/Citrix/Authentication/auth/v1/token- updating Discovery endpoints and service recordProcessing WebApplication5 : 1/Citrix/PNAgent- setting routing HostBaseUrl- updating legacy PNA supportProcessing WebReceiver : 1/Citrix/MyAppsWeb- updating Receiver for WebPS C:Program FilesCitrixReceiver StoreFrontscripts>

    Note: Step 6 is optional.

  6. When the PowerShell command execution is complete, the Citrix StoreFront console might still display the following message on the Authentication, Stores, or Receiver for Web site nodes:

    User-added image

    Ignore this message as all connections to StoreFront uses HTTP/SSL when either using Receiver connections to the store(s) or connecting through the web browser site.

    You can fix this console behavior by re-creating the following nodes:

    • Authentication

    • Store(s)

    • Receiver for Web site(s)

Important: Removing any of the three nodes affects the existing or new users trying to connect to StoreFront server using Citrix Receiver or web browser site.

For example, if you remove the Authentication service, the user will be unable to logon to the StoreFront. This will remove any of the three authentication modes you have selected (Username and Password, Domain Pass-through, or Pass-through from Citrix Access Gateway). In addition, it will remove the Citrix Credential Wallet Service and Authentication Virtual Directory .

Example:

c:inetpubwwwrootCitrixAuthentication

There is no specific sequence to remove the nodes, however, it is recommended to remove the nodes in the following sequence:

  • Remove any Receiver for Web site(s).

  • Remove any Store(s).

  • Remove the Authentication service.

When removed, re-create the nodes in the following sequence:

  • Create Authentication service.

  • Create Store(s).

  • Before creating the Receiver for Web site, click Refresh. If no site was created automatically, create one manually.

User-added image

Related:

Event ID 1300 — IIS Web Management Service Authentication

Event ID 1300 — IIS Web Management Service Authentication

Updated: January 20, 2010

Applies To: Windows Server 2008

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1300
Source: Microsoft-Windows-IIS-IISManager
Version: 7.0
Symbolic Name: IISWMSVC_SERVICEHANDLER_UNKNOWN_ERROR
Message: An unexpected error happened while processing a service request.

Resolve
Check a custom WMSvc client

If you are using a custom client to connect to the Web Management Service, you may receive a 401 response. This behavior may occur if the client does not authenticate before it tries to call Web service methods through the management service.

Possible resolutions include the following:

  • Contact the vendor of the client about the error. The vendor should have more specific knowledge about the features and behavior of the client program.
  • Check the event log message for a specific error number that may provide additional clues about the failure. This error number will be different from the Event ID. To do this, see the steps below.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Check for a specific error number

To check for a specific error number:

  1. In the Event Viewer, select the event that you received.
  2. Click the Details tab, then Friendly View.
  3. If a specific error number is available, the words Binary data: should appear.
  4. Below In Words, note the number after the colon.

Find out more about a specific error number

To learn more about a specific error number:

  1. Download the Err.exe utility from the Microsoft Exchange Server Error Code Look-up page.
  2. Click Start, All Programs, Accessories, and then Command Prompt.
  3. At the command prompt, navigate to the directory where you downloaded Err.exe. For example, if you downloaded Err.exe to C:\Err, type cd C:\Err.
  4. Type err errornumber to obtain more information about the error.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.0

Related:

Event ID 1007 — IIS Web Management Service Authentication

Event ID 1007 — IIS Web Management Service Authentication

Updated: March 24, 2009

Applies To: Windows Server 2008 R2

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1007
Source: Microsoft-Windows-IIS-IISManager
Version: 7.5
Symbolic Name: IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE
Message: Unable to read the certificate with thumbprint ‘{0}’. Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

Resolve
Check the Web Management Service (WMSvc) SSL certificate

To resolve this issue:

  • Find the SSL certificate that the Web Management Service is using.
  • Add the certificate snap-in to Microsoft Management Console (MMC).
  • Check that the certificate exists and has valid signature and time properties.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Note: These steps assume that you are logged on directly to the Web server.

Find the SSL certificate that the Web Management Service is using

To find the SSL certificate that the Web Management Service is using:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. In the Connections pane, select the server that you want to manage.
  4. In Features View, double-click Management Service.
  5. Under SSL certificate ensure that a certificate is selected.
  6. Note the name of the certificate. By default, the name starts with “WMSvc”.

Add the Certificate Snap-in to Microsoft Management Console (MMC)

To add the Certificate Snap-in to Microsoft Management Console (MMC):

  1. Click Start, Run, type MMC, and press ENTER.
  2. Click File, Add/Remove Snap-in.
  3. From the list of available snap-ins, select Certficates, then click Add.
  4. When prompted, select the Computer Account option, and click Next.
  5. Select the computer that you want to manage, click Finish, then click OK.
  6. In the MMC, under Console Root, a node called Certificates has been added for the computer that you chose. IIS server certificates are stored here in the Personal directory of the computer certificate store.

Check SSL certificate properties

To check the SSL certificate properties:

  1. In MMC, click Certificates (Local Computer) to expand it. The Personal folder appears underneath.
  2. Expand the Personal folder. A Certificates folder appears under it.
  3. Select the Certificates folder. The certificates on the server appear on the right.
  4. A server certificate should exist that begins with “WMSvc.” Double-click it to see its properties.
  5. Click the Details tab. Verify that the certificate has a valid time stamp.
  6. To view the certificate thumbprint, scroll down and select Thumbprint. The thumbprint hash appears in the window.
  7. Click the Certification Path tab.
  8. Below the Certification Path window, examine the Certificate Status window. If the certificate is valid, the words “This certificate is OK” will appear.
  9. If the certificate has an invalid signature or an invalid time stamp, contact the issuer of the certificate to resolve the signature problem or to obtain a new certificate.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.5

Related:

Event ID 1107 — IIS Web Management Service Authentication

Event ID 1107 — IIS Web Management Service Authentication

Updated: January 20, 2010

Applies To: Windows Server 2008

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1107
Source: Microsoft-Windows-IIS-IISManager
Version: 7.0
Symbolic Name: IISWMSVC_AUTHENTICATION_FAILED
Message: An account failed to log on. Account name: ‘{0}’, Remote Address: ‘{1}’

Resolve
Correct WMSvc client-server authentication

You may be unable to log on to the Web Management Service (WMSvc) if invalid credentials are supplied, if you are not authorized to perform the action attempted, or if some other intermediate issue is preventing authentication.

Possible resolutions include the following:

  • Ensure you log on with valid credentials.
  • Ensure that you are authorized for the area to which you are trying to connect.
  • If a provider failed to instantiate, verify that the provider type is correct, and that the assembly that contains the module provider is installed in the Global Assembly Cache (GAC).
  • HTTP 401 errors can have many causes. For more information, see the Knowledge Base article Troubleshooting HTTP 401 errors in IIS.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.0

Related:

Event ID 1106 — IIS Web Management Service Authentication

Event ID 1106 — IIS Web Management Service Authentication

Updated: January 20, 2010

Applies To: Windows Server 2008

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1106
Source: Microsoft-Windows-IIS-IISManager
Version: 7.0
Symbolic Name: IISWMSVC_AUTHENTICATION_UNABLE_TO_READ_CONFIG
Message: An unexpected error happened while retrieving the authentication information.

Resolve
Correct WMSvc client-server authentication

You may be unable to log on to the Web Management Service (WMSvc) if invalid credentials are supplied, if you are not authorized to perform the action attempted, or if some other intermediate issue is preventing authentication.

Possible resolutions include the following:

  • Ensure you log on with valid credentials.
  • Ensure that you are authorized for the area to which you are trying to connect.
  • If a provider failed to instantiate, verify that the provider type is correct, and that the assembly that contains the module provider is installed in the Global Assembly Cache (GAC).
  • HTTP 401 errors can have many causes. For more information, see the Knowledge Base article Troubleshooting HTTP 401 errors in IIS.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.0

Related:

Event ID 1105 — IIS Web Management Service Authentication

Event ID 1105 — IIS Web Management Service Authentication

Updated: January 20, 2010

Applies To: Windows Server 2008

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1105
Source: Microsoft-Windows-IIS-IISManager
Version: 7.0
Symbolic Name: IISWMSVC_AUTHORIZATION_NOT_ALLOWED
Message: The user ‘{0}’ is not authorized for the path ‘{1}’.

Resolve
Correct WMSvc client-server authentication

You may be unable to log on to the Web Management Service (WMSvc) if invalid credentials are supplied, if you are not authorized to perform the action attempted, or if some other intermediate issue is preventing authentication.

Possible resolutions include the following:

  • Ensure you log on with valid credentials.
  • Ensure that you are authorized for the area to which you are trying to connect.
  • If a provider failed to instantiate, verify that the provider type is correct, and that the assembly that contains the module provider is installed in the Global Assembly Cache (GAC).
  • HTTP 401 errors can have many causes. For more information, see the Knowledge Base article Troubleshooting HTTP 401 errors in IIS.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.0

Related:

Event ID 1104 — IIS Web Management Service Authentication

Event ID 1104 — IIS Web Management Service Authentication

Updated: March 24, 2009

Applies To: Windows Server 2008 R2

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1104
Source: Microsoft-Windows-IIS-IISManager
Version: 7.5
Symbolic Name: IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED
Message: Only Windows Administrators are allowed to connect using a server connection. Other users should use the ‘Connect To Site or Application’ task to be able to connect.

Resolve
Correct WMSvc client-server authentication

You may be unable to log on to the Web Management Service (WMSvc) if invalid credentials are supplied, if you are not authorized to perform the action attempted, or if some other intermediate issue is preventing authentication.

Possible resolutions include the following:

  • Ensure you log on with valid credentials.
  • Ensure that you are authorized for the area to which you are trying to connect.
  • If a provider failed to instantiate, verify that the provider type is correct, and that the assembly that contains the module provider is installed in the Global Assembly Cache (GAC).
  • HTTP 401 errors can have many causes. For more information, see the Knowledge Base article Troubleshooting HTTP 401 errors in IIS.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.5

Related:

Event ID 1102 — IIS Web Management Service Authentication

Event ID 1102 — IIS Web Management Service Authentication

Updated: March 24, 2009

Applies To: Windows Server 2008 R2

Clients can connect remotely to the Web Management Service on a Web server in order to administer that server. If connectivity issues occur, the client may not be able to administer the Web server.

Event Details

Product: Internet Information Services
ID: 1102
Source: Microsoft-Windows-IIS-IISManager
Version: 7.5
Symbolic Name: IISWMSVC_AUTHORIZATION_UNABLE_TO_READ_CONFIG
Message: An unexpected error happened while retrieving the authentication information.

Resolve
Correct WMSvc client-server authentication

You may be unable to log on to the Web Management Service (WMSvc) if invalid credentials are supplied, if you are not authorized to perform the action attempted, or if some other intermediate issue is preventing authentication.

Possible resolutions include the following:

  • Ensure you log on with valid credentials.
  • Ensure that you are authorized for the area to which you are trying to connect.
  • If a provider failed to instantiate, verify that the provider type is correct, and that the assembly that contains the module provider is installed in the Global Assembly Cache (GAC).
  • HTTP 401 errors can have many causes. For more information, see the Knowledge Base article Troubleshooting HTTP 401 errors in IIS.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the connection between the Web Management Service and your client can authenticate correctly:

  1. Click Start, click Control Panel, and then click Administrative Tools.
  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  3. Under Connection tasks, Click Connect to a server… The Connect to Server dialog box appears.
  4. Under Server name, select the server name to which you want to connect.
  5. Click Next. If the connection was successful, the message “Created a new connection successfully” will appear on the next dialog box page.

Related Management Information

IIS Web Management Service Authentication

Internet Information Services (IIS) 7.5

Related: