Client Certificate authentication against XenDesktop using Storefront and NetScaler Gateway

so this is a question that I was asked the other day, and to be honest I wasn’t quite sure that this would work. I know that Smart Cards and so on works against a XenDesktop enviroment but just plain Client Certificates? not the same..

The purpose was that some admins want to have a simple way to start Citrix without the need for authentication. Now I started by setting up a Certificate policy and define the Client Cert authentication feature in the SSL profile. This gave me full authentication against NetScaler and to Storefront. The issue was when I tried to start an application, then I would get SSL errors which I have never seen before and again not so much information on Google on it. Therefore I needed to try another approach to it. Since the client certificate authentication worked internally, maybe there was an issue with NetScaler doing the authentication validation which seems to break the authentication against the VDA agents.


NOTE: If someone else has this working I would love to know about it!

But anyways I decided another approach, where I published StoreFront using the NetScaler with pure SSL_BRIDGE, Since Storefront was only going to be used as an authentication point anyways, I decided to give it a try.

From there it was just a matter of setting up certificates on Storefront and on the user-device. Which was a user-certificate.

First enable Smart Card authentication on the Storefront Store


And then specify this on the Receiver Web Site as well.


NOTE: This solution only works for Receiver for Web, since Citrix Receiver self-service cannot authenticate using Client Cert.

Specify a NetScaler Gateway which will be used for Remote Access only


Then go back to the store settings and specify the gateway appliance under optimal gateway routing feature.


So what will happen is that when a user authenticates to Storefront and click an application or desktop, it will trigger an ICA file where the NSGW.TEST.LOCAL will be defined as remote proxy solution for all traffic.

From there we only need to create a NetScaler Gateway virtual server, which only has an

  • IP
  • STA servers defined
  • Certificate

It need no authentication policy since this has already been done via Storefront. We do not need a session policy, besides defining ICA-proxy settings enabled.

So now when I go to Storefront web URL I get presented with this screen


Then when I click Log On I need to select a user certificate which is placed on my end-user device


In this case I need to have a certificate which is from the same Root CA which has been issued to my Storefront server, and volia! I’m in


Leave a Reply

Scroll to Top