NOTE: Updated information about XenMobile & HDX Apps can be found here: /blogs/2015/03/03/mobility-experts-configuring-certificateldap-based-authentication/

Need for Additional configuration to enable HDX Apps with Certificate Based Authentication

To have a unified experience from a Mobile device when using  XenMobile MDX apps in conjunction with XenMobile Storefront HDX apps in Certificate based authentication mode, as on today Citrix Receiver does not support Client Certificate based authentication. If you need to enable the unified experience from a web browser then you have a different approach which is not covered here.


  1. Environment where XenMobile Certificate based authentication is up and running. This Vserver where certificate based authentication is configured is considered as first vserver.
  2. This first Vserver should be modified by adding LDAP Authentication policy with same priority as certificate authentication policy.
  3. You need to have an additional Netscaler gateway vserver in NetScaler, this vserver will be using a custom port(in this case i will be using 8081)
  4. NetScaler should be able to reach the storefront server.
Configurations Steps in NetScaler:
Modification in First NetScaler Gateway VServer
  • Modify the first NetScaler Gateway VServer by cascading the LDAP Auth policy with same priority as Cert Auth policy, Also make sure you have the Server Login Attribute Name is set to userPrincipalName.
Creation of Second NetScaler Gateway VServer
  • Create a secondary NetScaler Gateway VServer using the wizard that is provided in NetScaler Gateway.
  • Provide the Name, IPAdress (for now use a free IPAddress, we need to modify the same to the primary vserver IP) and port as 8081 and Click Continue.
  • Choose the appropriate certificate and Click Continue.
  • Choose the appropriate LDAP server policy and Click Continue.
  • Provide the AppController FQDN and click Done.
  • Once you have created the vserver on port 8081, modify the vserver IPaddress to match cert based authentication enabled vserver.
    • Modify the VServer IP address to match your client cert VServer.
  • Modify your OS Session policy to match your Single Sign On domain.
  • Click Published Applications and add all your STA servers that you are using. Activate all and Click Ok.  Go back into the published applications and verify all Servers show as “Up”.
  • Click Authentication, and unbind the authentication policies. Enable authentication should still be checked.
Configuration Steps in AppController:
  • In App Controller, Go to Apps & Docs, and then Windows Apps.  Enter your storefront server information and Click Save.
Note: Make sure you have the password caching  and Worx Pin options set to True in AppC Control Point Support Options.
Configurations Steps in Storefront Server:
  • Go to NetScaler Gateway in the Citrix StoreFront. Append the port 8081 to NetScaler Gateway URL and Call back URL(Refer to the below screenshot) and Click Ok.
End User Experience:
  • Login to Worx Store to view the enumerated AppC and Storefront apps.
  • Tap on the Storefront apps to launch them. (Note: You need to have Citrix Receiver installed on the mobile device to launch theHDX apps).