When trying to connect to a XenDesktop 7.x and StoreFront 2.x based environment through NetScaler from an external Windows computer you could receive the following error upon finishing the Citrix Receiver initial wizard: Your account cannot be added using this server address:
This error can occur in case your StoreFront's Base URL uses http instead of https. Verify whether your StoreFront server utilizes http instead of https for its Base URL:
If http is being used you have to change the Base URL to https and provide a corresponding server certificate for the underlying IIS web server and ensure it's trusted by your NetScaler in case you use a certifcate signed by your own private CA.
- Provide an appropiate server certificate for your IIS and change StoreFront's Base URL according to CTX135050
- Adjust all relevant NetScaler settings in terms of StoreFront, i.e. change URLs from http to https in all corresponding Session Profiles
Update 09/09/2015:
As stated in Citrix Discussions this issue has not been solved completely , yet. Therefore I had to investigate that problem further.
Several sources point out that this error message can have a bunch of different reasons, e.g.
- the StoreFront's Base URL not utilizing https
- the StoreFront's server certificate not being trusted by NetScaler
- the corresponding NetScaler Gateway URL not being added to IE's Trusted Sites Zone
- the corresponding NetScaler Gateway's server certificate not being trusted
- a misconfiguration in NetScaler Gateway's corresponding Session Policy and/or Profile
- a misconfiguration in NetScaler Gateway's corresponding Content Switching vServer in case Unified Gateway (UG) has been implemented
I'm still looking into this issue and will post my results here! My troubleshooting methodology is at follows:
First I verified that the user has been successfully authenticated and the correct NetScaler Session Policies got hit:
- LDAP Authentication Policy:
- UG vServer Content Switching Policy: UG_VPN_
is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/") || HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cginfra/https/appController2")
- NetScaler Gateway vServer Session Policy: PL_OS_
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
After that I verified the corresponding Request Profile settings:
- Client Experience Tab: Split Tunnel => Override Global => OFF
- Client Experience Tab: Clientless Access => Override Global => Allow
- Client Experience Tab: Plug-in Type => Override Global => Java
- Client Experience Tab: Single Sign-on to Web Applications => Override Global
- Security Tab: Default Authorization Action => Override Global => Allow
- Published Applications Tab: ICA Proxy => Override Global => ON
- Published Applications Tab: Web Interface Address => Override Global => <StoreFront URL>/Citrix/StoreWeb/
- Published Applications Tab: Single Sign-on Domain => Override Global => <NetBIOS Name of your Active Directory Domain>
- Published Applications Tab: Account Services Address => Override Global => <StoreFront URL>
More things to check:
- In case your StoreFront server's certificate has been issued by your own private CA make sure that NetScaler trusts the issuer of the server certificate, i.e. import the corresponding CA's certificate into NetScaler.
- In case your NetScaler Gateway's server certificate has been issued by a private CA make sure the endpoint device fully trusts the issuer, i.e. import the corresponding CA's certificate onto the endpoint device.
- Add your NetScaler Gateway's URL to the Trusted Sites Zones of IE.
Further reading:
- CTX135050 - How to Change the Server Base URL from HTTP to HTTPS on Citrix StoreFront
- CTX131101 - How to Enable Receiver Logging to Troubleshoot StoreFront Activation/Provisioning
- CTX137003 - Error: 'Cannot Add Account' on Windows RT Receiver
- Citrix Discussions - Receiver Add Account: Your account cannot be added using this server address