Tags: StoreFront

Load Balancing Citrix StoreFront with Azure Load Balancer

Sometimes there is a requirement to Load Balance StoreFront using a method other than NetScaler. Although rare (in my experience!) this does occasionally happen when NetScaler is perhaps not being used for Remote Access –  in an internal only environment for example.

In this post I will explain how to Load Balance StoreFront using the native Azure Load Balancers. We start with a simple setup:

  • 1x Domain Controller
  • 2x Citrix StoreFront Servers – in an availability set called “EUS-StoreFront”
  • 1x Virtual Network (VNET)

All of the above is in the East US Azure Location.

We start by creating a new Azure Load Balancer. Note a few key settings here:

  • Type: Internal – this is because we are balancing traffic within our VNET (Internal Network only)
  • IP address – static… we don’t want the LB IP to change!

Once this is done – we can add the backend servers. We do this by targeting the Availability Set that the StoreFront Servers are in. For those familiar with NetScaler, this is similar to a Service Group:

Next – we need to configure some Health Probes. This allows us to determine the state of the StoreFront server and to confirm that the services we are load balancing are healthy and available. Note: at the current time Azure Load Balancer HTTP checks support relative paths only, so I have used /Citrix/CitrixWeb/monitor.txt – a simple text file (Static Content) I created to check that the Web Server is serving out content and thus working correctly. (https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/load-balancer/load-balancer-custom-probe-overview.md) I have configured by Health Probe as below:

Next – it’s time to create the Load Balancing Rule that will form the entry point for Load Balanced traffic. Note the Protocol (TCP), Ports (80 Frontend, and 80 Backend), Backend Pool (StoreFront Availability Set), Health Probe (our HTTP 80 monitor.txt check), Session Persistence (Client IP), and Idle Timeout (30 minutes is currently the maximum value):

We can then click OK and our Load Balancing Rule is created! Next I created a DNS A Record for StoreFront and pointed it at the Load Balancer IP. After this, I opened up a browser and typed in my newly created StoreFront DNS record. Bingo – we have a page!

To test that the Load Balancing was working. I shut down IIS on each server in turn, and then tested. Sure enough – even when only 1 out of 2 servers was running, the page stayed up and StoreFront was accessible.

This Load Balancer can be used for a variety of Web Applications, and is a simple way to Load Balance Azure based services as you require. Until next time… cheers!

Book Review – “Inside Citrix – The FlexCast Management Architecture” by Bas van Kaam

Recently I have been reading the excellent “Inside Citrix – The FlexCast Management Architecture” by Bas van Kaam. I wanted to write a quick post up about this book – as it’s well worth a read for anyone working with Citrix Desktop Virtualization products.


You can purchase the book here.

What I really like about this book is how thorough the sections are – no area is left untouched. Each element of the FlexCast infrastructure is covered, including the history behind FMA, and an overview of how FMA is different to IMA. As well as thorough details, there is also an excellent troubleshooting section, which goes through various tools and troubleshooting methods, and various cloud services available to assist.

Also, each section has a “Key Takeaways” area at the end, which provides an overview – highlighting the key elements and considerations covered. This is really useful if you are wanting to improve your knowledge in a particular area. Just by reading this book I’ve already uncovered, and filled, gaps in my own knowledge – this for me is the main reason for reading any technical publication.

Overall, for anyone working with Citrix products this book is an excellent read in my opinion – not only useful for improving your knowledge, but also serving as a reference guide when there are decisions to be made.


Citrix Self Service Password Reset – Setup


Self Service Password Reset (SSPR) is a technology that allows users to enroll and answer a series of questions, which then allows them to reset their password later on should they forget it.

Before setting up SSPR you need to have Citrix StoreFront setup and secured with an SSL Certificate, and an SSL certificate available to use for the SSPR server. You also need to have Platinum XenDesktop licensing to use this feature. I also have a small XenDesktop 7.11 environment setup so that I can test successful launching of applications after a password reset.

Environment Overview

Below is a diagram of the virtual environment I have created for this lab:


Not too much to setup for this – this lab was created in a virtual environment, utilising PFSense as the gateway. I also have a client machine, and a XenDesktop infrastructure setup which aren’t in the picture. All VMs are running Windows Server 2012R2, and are 1vCPU and 4GB RAM. All storage is across SDDs local to the VMware host.

SSPR Setup:

The installation media for Self Service Password Reset is included on the XenDesktop 7.11 Media:


Installation is fairly straightforward – the next few screenshots cover the install process:








Installation of SSPR is now completed – and we can start configuring everything.

IIS Changes

We need to configure a few basic IIS settings on the SSPR Server – these are detailed below:

Install an SSL Certificate:

Firstly, we need to open the IIS Management console, and open Server Certificates:


You will need to specify a certificate for use with the service, and then bind that to the default website. In my case I have used a self signed certificate, which I have installed on both the SSPR and StoreFront servers in this lab:


Bindings adjusted as per the below screenshot:


Adjust the Authentication Settings:

As per the Citrix article https://docs.citrix.com/en-us/self-service-password-reset/1-0/secure.html you will need to adjust the authentication settings for the MPMService website. Open the MPMService Website in the IIS Management Console:


Click on Authentication, then Windows Authentication, and then Advanced Settings:


Un-tick “Enable Kernel-mode authentication”:


Click “OK” and then click on “Providers”:


Add “Negotiate:Kerberos” and remove all other Providers:


Click OK. Then browse back to the MPMService Website in the IIS Management Console, and ensure that under SSL Settings, “Require SSL” is selected:


Click “Apply” and then close the IIS Management Console.

Setting up the Self Service Password Reset Server

Before running the setup of SSPR, you’ll need two service accounts ready for use. I’ll cover off the permissions needed for each account later on in this post:

Account Name Usage Function
svc-ssprdataprox Data Proxy Account Reads and Writes data to the Store.
svc-ssprselfservice Self-Service Account Unlocks accounts and resets passwords on user AD Objects.



To start the SSPR setup process, log onto the server running SSPR and click on “Citrix Self-Service Password Reset Configuration”:


The console then loads are you are presented with the following:


Before any configuration, we need to create a central store, as per the Citrix Article http://docs.citrix.com/en-us/self-service-password-reset/1-0/install-configure.html

To do this, use the Server Manager console, and then click on “File and Storage Services”, and then “Shares”:


Click on “Tasks” and then “New Share…”


Continue with the “SMB Share – Quick” option:


Select “Type a custom path”:


Then create a new folder – mines call “SSPRShare” below and click “Select Folder”:


Click Next, and then type the share name as “CITRIXSYNC$” and click Next:


Select “Access Based Enumeration”, uncheck “Allow caching of share”,  and select “Encrypt data access”:


Click Next and then “Customise Permissions”, and then “Disable Inheritance”:


Select “Convert inherited…”, and then remove all users except for CREATOR OWNER, SYSTEM, and the Local Administrators Group:


We then need to modify the permissions assigned to creator owner, so that the permissions are as follows:


We also then need to add the Data Proxy Account we created earlier with Full Control of the Share. And Also the NETWORK SERVICE account with Read Permission:


Once this is done, we create two subfolders “CentralStoreRoot” and “People”. The Data Proxy Accounts requires full control of these folders:


Once this is done, we can go back to the SSPR Setup Console:


Click on “Service Configuration”, and then on “New Service Configuration” on the right hand side:


We have already setup the Central Store, and installed an SSL Certificate – so we can press next, and enter the UNC path to our Central Store:


Press “Next” and then tick the correct Domain, and select “Properties” – for this guide I will be configuring a single domain only for SSPR. Then we need to enter the details of the Service Accounts we created:


Enter the Account Details and press OK, and then press Next. The SSPR Password Reset service is then created:


Click on Finish, and then we are taken back to the Console. Next we need to create the user configuration, by selecting the User Configuration pane, and then clicking “New User Configuration” on the right hand side. We can now choose an LDAP Path or an AD Group for the users eligible for Self Service Password Reset – I’m choosing an AD group 🙂


Click on Next, and enter the License Server Name:


We can now configure the options users will have when using the service – either a password reset, and/or the ability to unlock their account. I’m going to allow them to use both. Also, we need to enter the URL to the SSPR Service, which in my case, is the server name:


Then we can click “Create” and the User Configuration is created. Next we move into Identity Verification – this is where the questions come in!

Back in the main console, click on “Identity Verification”, and then “Manage Questions” on the right hand side. We then need to select the Default Language, and choose whether to mask answers. I’m going to use English and choose not to mask answers for this Lab Setup:


After clicking “Next”, we can customise the questions and add more or create a new Group of questions. I’ve customised a couple of the default questions for demonstration purposes:


Once you are happy with the questions created, click “Next”, and the ordering of questions can be adjusted. Once happy – click Finish, and the configuration is completed.

Delegation of Active Directory Rights for the Self Service Account

Before we can setup StoreFront to use the SSPR Service, we need to delegate permissions to the AD Account used for Password resets and account unlocking – the Self Service Account. We will do this in Active Directory with the Delegation of Control Wizard. Note: you will need to delegate to control to all OUs where users of the SSPR system reside.


First, we select the Self Service account we have created:


And then click “Next”:


Select “Create a custom task to delegate”. Then select “Only the following objects in the folder” and select “User objects”:


In the next window select “General” and “Property Specific”:


Ensure that the following permissions are checked, and then press next:

  • Read lockoutTime
  • Write lockoutTime
  • Reset Password
  • Change Password
  • Read userAccountControl
  • Write userAccountControl
  • ReadpwdLastSet
  • WritepwdLastSet


Click “Finish” and then the delegation has been setup for the Self Service Account. We can now move on and configure Citrix StoreFront.

Configuring Citrix StoreFront for Password Self Service

To begin, open the StoreFront Console, and visit the Store you wish to add the SSPR Site to:


Then click on “Manage Authentication” on the right hand side:


Click on the settings option next to “User name and password”, and then select “Configure Account Self-Service”:


Next, choose “Citrix SSPR” from the drop down list:


And then press “Configure”. Then tick the boxes for “Enable password reset” and “Allow account unlock”, and then enter the URL to the SSPR Server:


Click OK 3 times, until you are back to the main StoreFront Console.

SSPR is now setup – and we can test with a user!

SSPR Signup Process and Testing

Now we have SSPR setup – we can begin the signup process and start testing. To do this, log into StoreFront with a user account that is a member of the AD Group we assigned in the SSPR Console (SSPR_Users in my case). You will then see the following extra “Tasks” option when you are logged in:


When we click on tasks, we can enroll in the Self Service Password Reset system:


Click on “Manage Security Questions” – before we can proceed we are required to authenticate again:


We will now see the security questions we defined earlier – and can provide answers:


Once these have been completed – we are presented with the following screen:


This means that the user is now enrolled and can use the Self Service Password Reset system.

Testing Self Service Password Reset:

Now that we have enrolled – we can make use of the SSPR System. If we visit the StoreFront website we also see an additional section of the login screen, labelled as “Account Self-Service”:


When a user who has forgotten their password visits the site, they can click on “Account Self-Service” to start the password reset process. For this test I will assume the role of a user who has forgotten their password. So I clicked on “Account Self-Service” then then selected the “Reset password” option:


After Clicking “Next” I am presented with the following screen, where I enter my username in the format domain\username, and then click “Next”:


After this, I am presented with the Questions that we previously setup, and answered for this test user:


After answering all 4 questions, I am presented with a change password dialogue:


A new password can be entered and “Reset” pressed:


The user’s password has now been changed, and we can login to our published resources – all without the need for any helpdesk calls.