Jump to content
Updated Privacy Statement

Hangs on Setclient?Wica

Kim Keith

Recommended Posts

Hey all


I have a problem and this is the 3 time i'm running into this problem.

Netscaler VPX 10.1 and storefront 2.1 single deploy and no LB on the netscaler.

It simple hangs on the Setclient?Wica when login from external site on the storefront server.


Now the first time the problem was that Netscaler could not find the DNS storefront so the solution was to use the I´P in the Netscaler Session profile.


The Second time i think there was something i missed in the Basic mode configurations or features...enable all and it worked.


I tried both Things her but still no luck...

Now this is crazy, same setup single deploy Netscaler in one arm mode...Storefront 2.1

Session policy set to IP and not DNS of the storefront in Netscaler session..check that it's ok with case sensitiv..and so on /Citrix/StoreWeb

Session policy:

Client Experience - Cleintless Access Allow - single sign to Webinterface.

Publish Application - ICA - ON , Web Applications  https://xx.xx.xx.xx/Citrix/StoreWeb

Single sign-on Domain FQDN name.

Vserver set to Smart access mode and a lincese is installed for 5 users.

Callback Ok points to the VIP and can ping External URL from the storefront.


Now im getting this it simple hangs on Setclient?Wica when logging in with the Netscaler..it Works internally fine on https storefront.domain.com


There is nothing between the netscaler and storefront i can ping both ways and no firewall enable on the storefront server.....


Why is it not working for me..Any HELP from Citrix on this..

Link to comment
Share on other sites

Verify the following StoreFront and Gateway configurations:

  1. The FQDN for StoreFront load balancing must be different than the FQDN for NetScaler Gateway. This is true even if you are using IP address in your session policy.
  2. If load balancing StoreFront, persistence must be set to Source IP (at least one hour timeout) and insert the client IP address into the X-Forwarded-For header.
  3. NetScaler Gateway session policies for StoreFront should be configured as detailed at http://support.citrix.com/article/CTX139963.
  4. On StoreFront, in the Authentication node, click Configure Trusted Domains and make sure either all domains are accepted or all variations (NetBIOS and UPN) of the domains are listed.
  5. On StoreFront, in the NetScaler Gateway node, create a Gateway object.
    1. When configuring the gateway object, leave the Subnet IP field empty. Also, make sure the Gateway URL matches what users enter into their browsers.
    2. Click Stores on the left. On the right, click Enable Remote Access. Select No VPN.
  6. Can StoreFront access the auth callback URL (NetScaler Gateway VIP) without certificate errors?
  7. The callback URL must point to any NetScaler Gateway VIP on the same appliance that authenticated the user.
  8. The FQDN in the callback URL must match the NetScaler Gateway certificate.
  9. The NetScaler Gateway certificate must be trusted by the StoreFront server.
  10. The STAs configured on the NetScaler Gateway Virtual Server must match the STAs configured on the StoreFront server.
  11. On StoreFront, look in Event Viewer > Applications and Services > Citrix Delivery Services for errors.
Link to comment
Share on other sites





1.Not using LB Direct access to SF.

2.Not using LB

3.Followed the settings and still the same.

4.Is set the trust any domain.

5.1.Is set to empty. did not solved it, was set to

5.2 was set

6.Yes open the callback URL on the storefront server and triyng to login from there.

7.Was set to the VIP of the Netscaler a Host entry on the storefront server.

8 Yes it dose.

9 Yes it dose. Or how can i verify that.

10.we only have one STA on port 80

11. Nothing there...as we are never reaching the storefront from the Netscaler.


And we have no ICA licenses = 0 we only have 5 Smart access licenses.

Link to comment
Share on other sites

  • 2 weeks later...

Ok so the problem is and can only be this.


Because it hangs on the setclient/Wica is one of 3 Things you can do.


1.The Netscaler cant find the Storefront (Session policy - URL ) so open the right ports if DMZ. ping both ways to see if all is open and Telnet. Or open all ports both ways for testing..!!


2.In Session policy Replace https://storefront.domain.com/Citrix/Storeweb to https://192.x.x.x/Citrix/StoreWeb where 192.x.x.x is your Ip of your Storefront server and Citrix/"Store"Web Store is the name you gave your store !..remember Capital letters casesensitive.


3.Or if that dosen't Work Create a DNS entry on the Netscaler so that you are sure that Netscaler can resolved to the name Storefront.domain.com to the IP of your storefront and i Session policy use the FQDN in the Session policy - URL.  (regards to your Cert you are using)  I tried ping from Netscaler to the FQDN and it resolved back good..but still first worked after i put in a entry in the Netscaler before it worked.......Hours and hours of finding the error Grrrrrrrr...


4. If you are using More storefront servers or Load Balancing remove them to keep it simple...


This has nothing to do with the Callback or STA settings..if it hangs on the SetClient Wica.

  • Like 2
Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...

I had this problem as well. It was caused by the storefront server (ver 3.0) not supporting TLS1.2. We changed to a new certificate which forced a new ssl cipher that the storefront server could not use, so it couldn't connect to the netscaler.


In the end we created a load balancing vserver (as a proxy) and removed TLS1.2 from it. Directed the gateway vserver to it, and the lb vserver to the storefront server.


Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...

I'll second the TLS Settings fix. Had used IISCrypto on the StoreFront servers (3.15) to lock it down to TLSv1.2 only. Even though the Virtual Server was configured to use 1.0, 1.1 & 1.2, it wouldn't connect. Relaxed the setting on the web server, and it worked. Unfortunately, the NetScaler is 10.5 (don't ask) and I'm trying not to break it. Fortunately, I'm replacing it as part of this project. :-)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...