After IT Administrators enable the ‘requireTokenConsistency’ parameter to ‘true’ on StoreFront’s ‘store’ configuration file (C:\inetpub\wwwroot\Citrix\<StoreName>\Web.config) users might not be able to access the resources.

This feature is used to allow SmartAccess conditions to be passed from StoreFront server to the XML servers for either XenApp or XenDesktop farms. Users login through Access Gateway to the Receiver for Web site, might receive the following error message:

“Your logon has expired. Please log on again to continue.”

The error might also be seen when the users try to subscribe to an application from the application catalog (under All Apps).

Checking the Citrix StoreFront server Event Viewer > Citrix Delivery Services, the following error message can be observed:

Log Name: Citrix Delivery Services
Source:WebApplication
Date:9/13/2012 12:49:58 PM
Event ID:23
Task Category: (2001)
Level:Warning
Keywords:Classic
User:N/A
Computer:example.amc.ctx

Description: Gateway data from the request and the authentication token are not matching. Request was made to store <StoreName>

Request data:
Remote Address:
X-Citrix-Via:
X-Citrix-Gateway:
X-Forwarded-For:
Token data:
Remote Address:
X-Citrix-Via: ag5.user.ctx
X-Citrix-Gateway:
X-Forwarded-For: 10.10.10.10
Gateway configuration:
System.String[]

In addition, the issue might be seen on Access Gateway 5.0.4 (Access Controller mode), 9.3 or 10.x connecting to a Citrix StoreFront 1.2 version.

Note: The issue has not been witnessed when Citrix Receiver is used to connect to a ‘store’.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

There is a limited release fix available at CTX138462 - Receiver Storefront 1.2 Update 2 for Web Receiver Add-in

---

Problem Cause

This is because of Receiver for the Web component not sending the appropriate Gateway HTTP headers in all of its requests to the StoreFront Services component. Example:

Non-working scenario

Request data:
  Remote Address:
  X-Citrix-Via:
  X-Citrix-Gateway:
  X-Forwarded-For:

Working scenario

Request data:
Remote Address:
X-Citrix-Via: ag5.user.ctx
X-Citrix-Gateway:
X-Forwarded-For: 10.10.10.10

This article describes the current known issue with StoreFront 1.2 and enabling SmartAccess through the requireTokenConsistency parameter.

CTX204766 - Error: "Your logon has expired. Please log on again to continue" When Accessing StoreFront Through NetScaler Gateway