The issue occurs when customers upgrade from Storefront 1912 to 2203 and had TLS1.0 disabled prior to upgrading (Does not occur on a clean install, or with TLS 1.0 enabled). In this scenario customers will encounter a TLS communication issue between Storefront and ADC / Storefront and Citrix Delivery Controllers.  

The following are some of the errors that can be seen from the Storefront server's event viewer:

The AG Web Service at: https://my.gateway.com/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 3/24/2022 2:41:50 AM
Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=3.23.0.0, Culture=neutral, PublicKeyToken=null
A communication error occurred while attempting to contact the Citrix Gateway authentication service at https://my.gateway.com/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The request was aborted: Could not create SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)

   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

AND / OR:

An SSL connection could not be established: None of the SSL cipher suites offered  were accepted by the server.. This message was reported from the Citrix XML Service at address https://(storefrontURL)/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

 

The workaround for this issue is to update the targetFramework properties in the web.config files of store service and authentication service folder, by following steps

1. Browse to C:\inetpub\wwwroot\Citrix\%store name% folder(or the store service folder of your custom drive) and locate the web.config file
2. Locate the line of '<httpRuntime targetFramework="4.5" executionTimeout="300" appRequestQueueLimit="100"......' and update the targetFramework value to be "4.7", where it's currently 4.5
3. Locate the line of '<compilation debug="false" targetFramework="4.5" />' and update the targetFramework value to be "4.7", where it's currently 4.5
4. Browse to C:\inetpub\wwwroot\Citrix\"store name%Auth folder(or the authentication service folder of your custom drive) and locate the web.config file, and repeat step#2 and step#3 for this file as well.
5. Steps 1 through 4 need to be repeated for every existing Store / Authentication.
6. Propagate changes to other servers in the same Storefront group.

We have released a hotfix for this issue. You can download it from here.

 

---

Problem Cause

The issue occurs when customers upgrade from Storefront 1912 to 2203 and had TLS1.0 disabled prior to upgrading (Does not occur on a clean install, or with TLS 1.0 enabled).