The following error is displayed when connecting to StoreFront:
Cannot Complete Your Request

New Experience

Classic Experience

Where to Start Troubleshooting

In order to identify what steps need to be followed when troubleshooting the error, you will have to identify where the issue is occurring by performing the following 3 tests:

1. Do you get the error when connecting directly to the StoreFront server?  If yes, start troubleshooting from step 1.

Perform this test by adding the StoreFront base URL and the StoreFront server local IP address to the Hosts file of the internal machine you will be testing with. For more information about editing the Hosts file refer to the following article - How to use a Hosts file to test a site that uses host headers on an Intranet.

2. Do you get the error connecting through a load balancer? If yes, start troubleshooting from step 13.  

From the testing machine open the command prompt and ping the StoreFront base URL FQDN. The FQDN should resolve to the IP address of your load balancer. If it does not then verify your DNS settings or the Hosts file on the local machine.

3. Do you get the error only when connecting through your NetScaler Gateway? If yes, start troubleshooting from step 19.

From the testing machine open the command prompt and ping the NetScaler Gateway FQDN. The FQDN should resolve to the IP address of your NetScaler Gateway. If it does not then verify your DNS settings or the Hosts file on the local machine.

Troubleshooting Steps

Troubleshooting the Storefront Server Connection

1. Ensure that Windows Server is and IIS is patched to the latest version.

2. Upgrade to the latest version of the StoreFront.

3. If you get this error after upgrading the StoreFront then navigate to IIS > Default Site > SomenameWeb > Default Files > delete and then recreate the default.html file manually. The upgrade process occasionally corrupts the IIS default.html file.

4. You can also collect the Event Viewer logs by navigating to Event Viewer > Applications and Services Logs > Citrix Delivery Services to identify the root cause of the issue.

5. If you are using StoreFront loopback feature the ensure that it is configured accurately. Refer to CTX224790 - StoreFront Loopback Feature.

6. On the StoreFront server open the StoreFront MMC > Server Group > Base URL and confirm that the StoreFront base URL has a full FQDN and not a Host name or IP address. To change the base URL refer to Citrix Documentation - Configure server groups

7. Open the Command Prompt on the StoreFront server and ping the StoreFront base URL. The base URL should resolve to the StoreFront server local IP address. Add an entry to the Hosts file on the StoreFront server to make sure that the base URL resolves to itself.
   Note: StoreFront 3.x has the loopback feature, for configuration guidance refer to Citrix Blog - What’s New in StoreFront 3.0.

8. Open the IIS console on the StoreFront server click the server > Server Certificates > double-click the certificate that you are using for StoreFront.

   Make sure that the certificate on the StoreFront server is not expired.

   Make sure the "Certificate Issued To" name matches the StoreFront base URL.The certificate should also contain a private key. If using a SAN certificate, make sure the StoreFront Base URL is listed under the subject alternative names. Wildcard certificates are also supported.
   View the Certification Path tab on the certificate and confirm that all the Intermediate and Root certificates are properly installed in order to complete an SSL Handshake. For more information regarding certificates see article - Server Certificates.
   Open the IIS console on the StoreFront server and go to Sites > Default Web Site > Bindings. Make sure there is a binding for HTTPS over port 443 with a certificate that matches the StoreFront Base URL assigned to it. Leave the host name field empty. For more information regarding adding a binding refer to article - SSL Bindings
   On the IIS console go to Application Pools and confirm that Citrix Delivery Services Authentication app pool is configured to use .NET CLR Version 4.0. If the app pool is not using .NET 4.0, refer to Microsoft article - Specify a .NET Framework Version for an Application Pool (IIS 7) and restart the Citrix Credential Wallet Service using the following procedure:
   Open Services.msc console on the StoreFront server.
   Search for the service Citrix Credential Wallet Service > right-click > Restart.
   Open the StoreFront MMC > Authentication and make sure user name and password is enabled. To enable it click Add/Remove Methods > check the User Name and Password box > click OK.
   On the StoreFront MMC, click Receiver For Web > Choose Authentication Methods and make sure that User Name and Password is also enabled. To enable it, check the User Name and Password box and click OK.
   On the StoreFront server open the Services console and confirm the following:

• Verify if the Citrix Default Domain Services Windows Service is running. By default, the startup type will be set to Automatic (Delayed Start). Confirm the service is running after the StoreFront server reboots.
• Verify if the Citrix Credential Wallet Service is running. By default, the startup type will be set to Automatic (Delayed Start). Confirm the service is running after the StoreFront server reboots.
• Verify if the Citrix Peer Resolution service is running. By default, the startup type will be set to Automatic (Delayed Start). Confirm the service is running after the StoreFront server reboots.

9. Telnet from the StoreFront server to the domain controller over ports 88 and 389 to confirm they are open. For more information refer to article CTX101810 - Communication Ports Used by Citrix Technologies

10. In Active Directory confirm the User Logon Name matches the User Logon Name (pre-Windows 2000). For more information refer to article - User Name Formats.

11. Verify if antivirus firewall is installed on the StoreFront server. Disable the antivirus firewall and test the connection. Exclude the StoreFront ports within the antivirus firewall. For more information refer to the following links:

• CTX101810 - Communication Ports Used by Citrix Technologies
• On-Access scan appears to cause IIS application pools to recycle?
• Performance issues with specific applications after installing VirusScan Enterprise 8.8 Patch 4

12. Confirm that you are not using a proxy when testing the connection to StoreFront. If you are receiving the error when the proxy is in place refer to the proxy configuration.

13.  Is there an error in the Event Viewer for "An unexpected error occurred storing the credentials" (Event ID 8) or "An error occurred during authentication" (Event ID 3)?

    If so, run the following PowerShell command:
    cd 'C:\Program Files\Citrix\Receiver StoreFront\Scripts'
    $certlist = @(Get-DSCertificate)[0] | where { $_.Subject -Match "Credential Wallet Replication Identity" }
    foreach ( $cert in $certlist ) { Add-DSCertificateKeyReadAccess $cert "NT Service\CitrixCredentialWallet" }

    And then restart the Citrix Credential Wallet Service.

14. If any timeout settings have been modified manually through the web.config file located under C:\inetpub\wwwroot\Citrix\Authentication\web.config then make sure the SessionState timeout field is set to the default value of 5.
    For example - <sessionState mode="InProc" cookieName="Citrix_AuthSvc" timeout="5" />

15. If you experience the error after publishing a new application or customizing an application’s icon, check the event viewer on the StoreFront server and look for the following errors:

    Event 1 =  There was an error during a resources List request. System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

    The remote server returned an error: (500) Internal Server Error.

    Event 7 = Unhandled exception thrown for route "DazzleResources/List" System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.

    The workaround is to go to Studio > Delivery Groups > Applications > view the properties of the application recently added > Delivery > Application Icon > Change and choose from any of the Citrix default icons.

16. If this error occurs after an upgrade, then go to IIS > Default Site > StorenameWeb > Default Files > delete default.html and recreate default.html file manually.

17. Disable self-recycling for the following application pools:
    Citrix delivery services authentication
    Citrix delivery services resources
    Citrix receiver for web

18. Remove any special character in delivery group names.

19. If you only get the error when accessing the server for first time after an idle time or running an antivirus scan then disable the File Change Notification feature on the IIS server where StoreFront is running.

    For .NET 4.0 and Lower
    Find app bitness from appPool advance settings.

    64 bit: To enable this hotfix, you must add the following DWORD value of 1 at the following registry key:
    HKLM\Software\Microsoft\ASP.NET\FCNMode

    32 bit: If you are running a 32-bit process on an x64-based system, add the following DWORD value of 1 at the following registry key:
    HKLM\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\FCNMode

     For .NET 4.5 and Higher

    Starting with the Microsoft .NET Framework 4.5 and later versions, FCNMode can be configured by using the httpRuntime settings as follows:
    <httpRuntime fcnMode="Disabled"/>

    For more information refer to the following blogs:
    ASP.NET File Change Notifications, exactly which files and directories are monitored?
    ASP.NET Performance issue: Large number of application restarts due to virus scanning

Troubleshooting the Load Balancer

1. If you are load balancing StoreFront, then Open the command prompt from the testing machine and ping StoreFront base URL FQDN to confirm if it is resolving to the load balancing IP address.

2. Verify if FQDN of STA server is resolvable. If not, change the STA server FQDN to IP address on StoreFront and NetScaler. For more information refer to Citrix Documentation - Configuring the Secure Ticket Authority on NetScaler Gateway.

3. Refer to CTX128655 - How to Record Network Packet Trace on NetScaler Appliance to capture trace to identify the root cause of this issue.

4. Open a browser on the testing machine and go to the StoreFront base URL to confirm the correct certificate is bound to the load balancing VIP.

5. Confirm that the certificate bound to the load balancer is properly linked to the root and intermediate on NetScaler. For more information refer to article CTX128539 - How to Link an Intermediate Certificate to the Server Certificate on NetScaler/NetScaler Gateway.

6. On the NetScaler load balancing VIP confirm that the Persistence is set to SOURCEIP and the Method is set to LEASTCONNECTION. For more information see refer to Citrix Documentation - About Persistence

7. View the Services bound to the load balancing VIP and go to Settings > Header to confirm X-Forwarded-For is specified. To add it, edit the load balancer Service settings > Settings > Check Client IP > Add X-Forwarded-For to the Header textbox.

8. Confirm TLS 1.0 is enabled under the SSL Parameters on the load balancing VIP and load balancing services. StoreFront 3.0.1 and prior versions do not support TLS 1.1 and TLS 1.2.

9. On NetScaler go to under System > Settings > Configure Basic Features > Integrated caching and confirm that it is disabled.

10. If using Microsoft NLB as a load balancer; it has been reported that using Microsoft "NLB" type load balancing with unicast mode might trigger this issue. Switching to multicast mode helps resolve this issue.

11. Ensure that all backend server are healthy.

Troubleshooting NetScaler Gateway

1. Open the StoreFront MMC > NetScaler Gateway > Select the Gateway you configured > Change General Settings > NetScaler Gateway URL and confirm external users are using the same URL for external access on the browser and Citrix Receiver.

2. Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers

3. Ensure that call back URL is configure accurately as defined in the preceding points:

   The callback URL must resolve to any NetScaler Gateway VIP on the same appliance that authenticated the user.
   The Callback URL must have a trusted and valid (not expired) certificate.
   The callback URL must be same as the FQDN to which the certificate is issued.
   The Callback URL must not have client certificates set to Mandatory.

4. On the StoreFront server open the Command Prompt > Ping NetScaler Gateway FQDN and confirm it resolves to the correct gateway IP address.

5. On the StoreFront server open a browser and navigate to the NetScaler Gateway URL to confirm there are no certificate errors. For more information refer to article CTX128539 - How to Link an Intermediate Certificate to the Server Certificate on NetScaler/NetScaler Gateway.

6. Open the StoreFront MMC and go to NetScaler Gateway > select the gateway you are configuring > Change General Settings > Subnet IP address and remove it. The subnet IP address is only needed if you are using a NetScaler 9.x firmware or under certain use cases concerning GSLB as mentioned here. Specifying the VIP of a NetScaler Gateway (not SNIP) may be required if the StoreFront implementation supports multiple NetScaler Gateways with the same URL (such as the same URL being used internally and externally, but resolving to different NetScaler Gateways) along with unique callback URLs. That being said, only certain use cases and the use of NetScaler 9.x firmware necessitate populating the Subnet IP address field which should otherwise be left blank.

7. On the same Change General Settings window from step 22, confirm the Logon Type is set to Domain if using LDAP authentication on the NetScaler Gateway. For more information refer to Citrix Documentation - Configure NetScaler Gateway connection settings.

8. On the same Change General Settings window from step 22, confirm the Callback URL FQDN listed resolves to the NetScaler Gateway VIP by using the ping command on the Command Prompt from the StoreFront server. Once you verify it resolves to the correct gateway IP address, open a browser on the StoreFront server and navigate to it and confirm there are no certificate errors.

9. On the NetScaler Gateway VIP go to Authentication > LDAP Policy > Edit Server and confirm the following settings:

   For more information refer to - User authentication and CTX114999 - Troubleshooting Authentication Issues Through NetScaler or NetScaler Gateway

   1. Server Logon Name Attribute: sAMAccountName
   2. Group Attribute: MemberOf
   3. Sub Attribute Name: CN
   4. Security Type: PlainText
   5. Keep SSO Name attribute: blank (sometimes having some attributes set as SSO name attribute cause SSO failure if not a multi domain environment)

10. Go to the Session Policy bound to the NetScaler Gateway VIP > Edit Profile > Client Experience > Single Sign-on to Web Applications and confirm that it is checked. Then go to the Published Applications tab > Single Sign-on Domain and confirm the correct domain is specified.
    Note: For domain users in a multi-domain environment, add the SSO Name Attribute field as UserPrincipalName under LDAP Policy configuration and uncheck the Single Sign-on Domain for the authentication on the session profile.

11. If you received this error during implementation of ADFS, Azure and FAS then consider the following - SAML authentication does not use a password and only uses the user name. Also, SAML authentication only informs users when authentication succeeds. If SAML authentication fails, users are not notified. Since a failure response is not sent, SAML has to be either the last policy in the cascade or the only policy.

    So when you configure SAML authentication along with LDAP authentication on NetScaler, use the following guidelines - if SAML is the primary authentication type, then disable authentication in the LDAP policy and configure it for group extraction. Now, bind the LDAP policy as the secondary authentication type.

12. Check the NetScaler Gateway VIP > SSL Parameters > TLSv1 and confirm that it is enabled. Make sure the Callback VIP has TLS 1.0 enabled. The following is the support matrix for your reference:

    1. StoreFront 3.0.0 and earlier supports SSLv3 and TLS 1.0
    2. StoreFront 3.0.1 and later supports TLS 1.0 and 1.1
    3. StoreFront 3.5 and later supports TLS 1.0, 1.1 and 1.2

13. On the NetScaler Gateway VIP verify the "No Rewrite Clientless" policy on the NetScaler Gateway VIP is configured to use the expression TRUE.

14. On the NetScaler go to Security > Application Firewall and confirm the feature is disabled. If it is enabled bypass the policies during testing. If successful re-enable the Application Firewall in learning mode,so it can Learn and Allow the necessary StoreFront traffic. For more information refer to article CTX117003 - How to Configure Learning Parameters on the Application Firewall.

15. When a single FQDN configuration is used then refer to the following Citrix Documentation to verify if any step is skipped or misconfigured - Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally. You can potentially get the cannot complete request error.

16. If you were configuring Optimal Gateway for launching applications, make sure the configuration on the web.config file has a proper closing HTML tag. For more information regarding Optimal Gateway configuration then refer to Citrix Documentation - Configure optimal NetScaler Gateway routing for a store.

17. Verify if all the required network is reachable from NetScaler Gateway. Routing table should also look complete. 

18.  Verify for the presence of customized theme under VPN Parameters or VPN Virtual Server. Verify if there is Login Page specific customization on the Customized portal Them and remove the Page specific customization from the Customized portal Theme. Defining the username and password field clashes with the login schemas which are also used to define the layout of the fields on the page.

19. Examine the logs on NetScaler Gateway to verify if it is blocking any cookies, in case expression for cookie header is used in the session policy.

20. If the issue occurs specially after an HA failover of NetScaler Gateway, then verify the time on both the nodes. The time on nodes should be in sync. Examine the ntpd process and sync the time if the nodes are not in sync.