There are two very nasty pitfalls when using Citrix StoreFront with the native Workspace App. The result will be that users cannot launch any new session or must reset their Workspace App at best! The changes are very tiny but can screw your running environment terribly. So here are the things you should look after and keep in mind.

As described in the Citrix article "How to implement the Override Ica ClientName feature for StoreFront", the ClientName for the Workspace app (Receiver App Store) cannot be overwritten.  Overriding the ClientName would only work with "Receiver for Web" (RfW), i.e. the StoreFront website, and then the ClientName becomes WR_ClientName. This is true for the StoreFront integrated feature, which can be activated via the advanced store settings. Fortunately, there is another, much more flexible option!

This article deals with the Citrix Cloud Network Locations Services (NLS) and explains why "Undefined" is the new external at Citrix. If you are dealing with the network locations, you might get confused because the wording might not be quite correct, at least for me.

Last week, I had a request from a customer that the MFA authentication suddenly stopped working. The customer then installed the latest NPS MFA extension and also ran the troubleshooting script for MFA, but nothing was found. In the end, he asked me for short-term support. A look at the MFA event log showed a critical error with: "CLIENT_CERT_IDENTIFIER" and thus a finger pointing to the local certificate on the NPS server. The certificate with the Azure tenant ID can be found in the personal certificate store, and this was still valid until one day before! A new certificate for the Azure Multi-Factor Auth Client must be generated, but how?

Recently I showed how Citrix Cloud Network Locations can be updated for dynamic IP addresses. The Citrix HDX traffic and "SmartAccess" policies are thus updated, but what about the Microsoft MFA logon to Citrix Cloud or single sign-on? Single sign-on to Citrix Cloud works from the internal network as long as the named location for conditional access in Microsoft Entra is correct. Here too, the IP address can change repeatedly with dynamic IPs and must then also be adjusted. Here again a script-based solution that I use myself.

Citrix recently published Cloud Network Locations to get back some "SmartAccess" options customers had with Netscaler ADC. With the Network Locations set, you can use TAGs to enable or disable policies, for instance. This is nice for a company with owned fixed public IP-addresses, but what if you have a dynamic IP-address that might change now and then? Here is a solution that I use myself.