While replacing Citrix StoreFront (2203 CU5 LTSR) servers running Microsoft Server 2019 with servers running Server 2022, we encountered an error message during login attempts to Citrix StoreFront. Users were shown an error message stating: “Cannot complete your request.”
We were running a GSLB setup with a multi-server group (across sites), each containing several Citrix StoreFront servers (2203 CU5 LTSR). As described in “Virtual Apps and Desktops – 1912/2203 – Citrix Infrastructure / OS Upgrade” (CTX278869), we exported the configuration from an old StoreFront server running Server 2019 and imported it onto the newly created StoreFront servers running Server 2022. All servers were deployed in the same OU, received the same GPOs/settings, and apart from the different operating systems, all settings were pretty much identical.
Common Resolutions to “Cannot Complete Your Request” when connecting directly to StoreFront Server (CTX207162)
One of the first things we checked was the “Citrix Delivery Services” log in the Event Viewer, where we indeed found error messages.
EventID 17: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
URL: https://127.0.0.1/Citrix/StoreName/discovery
ExceptionStatus: TrustFailure
While researching the event, we came across multiple articles suggesting that changing the loopback mode to “OnUsingHttp” could resolve the error. This setting can be modified by navigating to Store > Manage Receiver for Web > Configure > Advanced Settings and changing the loopback mode to OnUsingHttp.
Although this would likely solve the issue, we only have HTTPS bindings within the IIS server and do not want to run with HTTP. So, the question remains: why was the HTTPS configuration working on the old 2019 servers, but not on the 2022 servers?
We enabled the CAPI2 event log, which made it clear that we were experiencing SSL trust issues. “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”
Here is where it started to get confusing: the certificate store contained all the required root and intermediate certificates. Additionally, validating the URLs within Edge did not report any certificate issues, everything appeared to be perfect.
Untrusted root CA certificate problems might occur if the root CA certificate is distributed using the following Group Policy (GP)
Over time, we came across a Microsoft article titled “Valid root CA certificates distributed using GPO might intermittently appear as untrusted“, which briefly stated: “Untrusted root CA certificate problems might occur if the root CA certificate is distributed using the following Group Policy (GP).” This sounded familiar because we were distributing our root and intermediate certificates via a GPO.
We disabled the GPO used to deploy the CA and manually added all the required certificate authorities to the newly created Citrix StoreFront server running Server 2022. After rebooting the system, we attempted to log in to Citrix StoreFront several times while monitoring the Event Viewer. It quickly became clear that this approach resolved our issues. Without the GPO in place, everything worked flawlessly again.
So before taking the shortcut and changing the Loopback mode from On to OnUsingHttp, it’s probably a better idea to look into the certificate authority deployment method first 🙂