Citrix StoreFront logon process

Once the user enters the credentials the authentication service of StoreFront fetches the user credentials and validates them with a domain controller. So the StoreFront servers must reside either within the Active Directory domain containing the user accounts or within a domain that has a trust relationship with the user accounts domain.

StoreFront checks the Datastore for existing user subscriptions and stores them in memory.


The Web Interface / StoreFront forwards the user credentials as part of a XML query to the backend systems, such as XenApp, XenDesktop, App Controller or VDI-in-a-Box sequentially.

The Citrix Delivery Controller validates the user credentials with a domain controller and checks which resources have been published to the user within its database.

The Citrix Delivery Controller sends an XML response to Web Interface / StoreFront which contains all resources available for the user from the Citrix site.

StoreFront sends the list of available resources and the existing subscriptions to the Citrix Receiver installed locally or displays them in Receiver for Web and the user can access the resource.

StoreFront 2.5 supports parallel resource enumeration. When enabled, StoreFront sends out enumeration requests to all farms/sites at the same time and aggregates responses when all farms/sites have responded. This should provide faster responses to user queries when aggregating multiple farms/sites. If explicit Active Directory credentials are used to authenticate users, StoreFront sends user credentials to the XenApp farms/XenDesktop sites. To minimize the risk of user accounts being locked out as a result of parallel enumeration, StoreFront validates user credentials with Active Directory immediately before sending out enumeration requests.

When user clicks on an application or desktop icon to launch it in Citrix website, a spinner is displayed and any clicks on the same icon are ignored while the spinner is spinning. Hence user cannot unintentionally launch multiple instances of the same application/desktop. The default time period for the spinner is fixed for three seconds and can be changed by editing custom.script.js in the contrib folder under the Receiver for Web site.


About Murugan B Iyyappan

Working as a Consultant - Citrix solutions architect with 18 years of experience in the IT industry. Expertise in Citrix products and Windows platform.
This entry was posted in Citrix and tagged , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Citrix StoreFront logon process

  1. Pranav says:

    Hi Murugan, thanks for all the information given above. But still it is somehow unclear to me that what exact difference is there between storefront and web interface? As per my understanding there is only difference that Storefront will directly query Active directory for authenticating user login details and web console will send them to controller and it will reach AD for authentication?

    Please correct me if I am wrong.

  2. Rahul says:

    Any reason why there are 2 times authentication taking place.. “The authentication service of StoreFront fetches the user credentials and validates them with a domain controller” Again in the “xendesktop controller validates the user credentials with the domain controller”.
    Any reason behind this?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s