StoreFront,NetScaler Gateway
Access Gateway 10,StoreFront 2_1,StoreFront 2_0,StoreFront 1_2
Configuration,Connectivity,Third Party
This article describes the possible solutions for StoreFront error: "Cannot complete your request.".

Symptoms or Error

When accessing a store website on StoreFront, the following error message is displayed:
"Cannot complete your request. You can log on and try again, or contact your help desk for assistance."

User-added image


Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance.

Note: The first troubleshooting step should be to review?? the messages in the Event Viewer of StoreFront, and the local computer account running the Receiver which displays "Cannot complete your request". The errors in the Event Viewer logs?? will provide you guidance?? on where to start investigating the behavior in the sections listed in?? this article.

The article is divided into the following sections:


  1. Verify if the StoreFront server can resolve the StoreFront FQDN by pinging the FQDN from the command prompt.

User-added image

Configure the StoreFront Service to point to itself in a load balanced environment. For additional information, refer to Citrix Documentation - Load balancing with NetScaler.

In a single-server deployment, the Server Base URL must resolve to the StoreFront’s server local IP address.

  1. Verify if the StoreFront IIS server is bound?? to 443 and is configured with a certificate?? corresponding to the FQDN.

  2. Verify if the common name of the certificate binding in IIS matches the StoreFront's base URL. If the certificate does not match, issue a new certificate to reflect the StoreFront URL or change the StoreFront URL to match the certificate. After performing the adjustments, run iisreset.

  3. If accessing the server externally, validate the callback URL is configured correctly on the StoreFront Server. The behavior can occur?? when the callback URL resolves to the wrong IP or the entered NetScaler Gateway FQDN does not match the certificate on the NetScaler Gateway.

  4. Verify that?? the server certificate?? and any intermediate certificate are?? installed on NetScaler Gateway and StoreFront server.

  5. If the same FQDN is used on both the NetScaler Gateway and StoreFront, refer to?? Citrix Documentation - Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally.

  6. Verify if a third party tool has made changes to IIS on StoreFront server, such as Windows Updates. Within a specific situation, the error appeared on IIS after a Windows Update:
    "Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN:276)"

In this example, the resolution was?? to uninstall and reinstall the certificate on the IIS server.

  1. Verify if any legacy sites were upgraded to the latest version of StoreFront.?? In this example,?? an entry was found in the web.config file under?? "C:\inetpub\wwwroot\Citrix\Authentication"?? for the "component id="pnaAuthenticationStartupModule". Backup the web.config file and remove?? the entry.


  1. Verify if the "User name and password" authentication method is enabled on the StoreFront server.

User-added image

  1. Verify if the Base URL is configured with an FQDN “example.com” instead of NetBIOS “example”.

User-added image

  1. Verify if the?? Citrix Default Domain Services?? Windows Service?? is running. By default, the startup type will be set to Automatic (Delayed Start). Confirm the service is running after the StoreFront server reboots. ??

  2. Verify if users do not have different names in Active Directory. For?? example,?? the user principal name (UPN)?? name1@domain does not match the pre-Windows 2000 naming?? convention "down-level logon"?? domain\ABCname1.
    Adjust the down-level logon to?? match the UPN. For the example, the down-level logon would show in the user profile as?? domain\name1
    . For additional information, refer to?? User Name Formats.

NetScaler Gateway Authentication

  1. Verify if the Single Sign-on?? (SSO) Domain is configured correctly on the NetScaler Gateway.

  2. Verify if there is an SSO domain mismatch on NetScaler Gateway and StoreFront.

  3. NetScaler Gateway SSO might not be passing the correct information due to incorrect configuration. Verify that the following attributes are configured:
    Server Logon Name Attribute: samAccountName
    Group Attribute: MemberOf
    Sub Attribute Name: CN
    SSO Name Attribute: samAccountName
    Security Type: PlainText

Note:?? When LDAP is configured as userPrincipalName, confirm that the SSO Name Attribute field shows the value sAMAccountName when using StoreFront with NetScaler or NetScaler Gateway. Refer to Citrix Documentation - User authentication for more information.

  1. Verify the "No Rewrite Clientless" policy on the NetScaler Gateway is configured to use the expression TRUE.

User-added image

  1. In the event log on StoreFront server, the following error is displayed: "CitrixAGBasic single sign-on failed because the credentials failed verification with reason FailedPasswordComplexity".
    In this example, a?? network trace on NetScaler shows the following:

User-added image

Inside the POST, the credentials are shown.

User-added image

A blank password field causes the failure. For client certificate to successfully log on to NetScaler Gateway two?? factor authentication,?? LDAP should be set as the primary. Also, LDAP is required to be set to the primary in the session policy credential index.
  1. For domain users in a multi-domain environment, add the SSO Name Attribute field as UserPrincipalName under LDAP configuration and uncheck the Single Sign-on Domain for the authentication.

User-added image

User-added image

Load Balancer??

  1. Verify the configuration for?? Method and Persistence in the Load Balancer Virtual Server section within the NetScaler:
    Set LoadBalancing Method?? to LEASTCONNECTION
    Set Persistence to COOKIEINSERT

For additional information, refer to the Citrix Documentation - Load balancing with NetScaler.

  1. Verify if the Load Balancer can resolve the base URL of StoreFront when one of the StoreFront Server is taken offline.

  2. If XML servers are load balanced, ensure that X-FORWARDED-FOR is configured for XML LoadBalanced vip.


  1. Verify if?? antivirus firewall is installed on the StoreFront server. Disable antivirus firewall and test the connection. Exclude the StoreFront ports within the antivirus firewall. Refer to CTX101810 - Communication Ports Used by Citrix Technologies for the list of StoreFront ports.

  2. If McAfee Enterprise antivirus protection is enabled on the StoreFront server, random user will see the error message "Cannot complete your request".?? Typically, the first user account will always?? see this error. Add the IIS process W3WP.exe to McAfee exclusion list and restart the server.

Refer to the following links for more information:

  1. Verify if NetScaler is using Application Firewall. Test the configuration by disabling the Application Firewall.?? If successful re-enable the Application Firewall in learning mode,?? it can Learn and Allow the necessary StoreFront traffic.

  2. If a proxy server is configured on the network, verify that the URL?? for proxy is set correctly within the browser LAN settings for Use automatic configuration script setting.

User-added image


  1. Verify the Credential Wallet service is not started or in hung state.

User-added image

Ensure that the Citrix Credential Wallet Service is set for a Delayed Start and started on the StoreFront server.?? Restart the Citrix Credential Wallet Service.

  1. The Credential Wallet component of StoreFront can prevent users from storing securely used password. When the password cannot be stored using the Credential Wallet, the authentication process cannot complete. Restart the Credential Wallet service on the affected server to restore the functionality. In certain situation, the behavior can reoccur. To permanently resolve the issue, Citrix recommends upgrading to the latest StoreFront.

  2. Citrix recommends allowing at least an additional 2 GB of RAM dedicated to StoreFront. The memory allocated to StoreFront will be above the requirements for the operating system and applications installed on the server. Refer to Citrix Blog - StoreFront Scalability Update for additional information.

  3. Verify if the Event Viewer has the following error:

     Event ID 7: Unhandled exception thrown for route "ExplicitFormsAuthentication/AuthenticateStart" System.Configuration.ConfigurationErrorsException, System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a The Forms Template Engine could not be found in the service locator.    at Citrix.DeliveryServices.Authentication.Explicit.FormsCommon.Conversations.ExplicitConversationEngine.CreateConversationState(RequestToken requestToken, ITokenService tokenIssuingService)    at Citrix.DeliveryServices.Authentication.FormsProtocol.Conversations.ConversationEngine.StartConversation(RequestToken requestToken, ITokenService tokenIssuingService)

Update the system environment variable directory to C:\Temp instead of D:\Temp.

  1. It has been reported that using Microsoft "NLB" type load balancing with unicast mode might trigger this issue. Switching to multicast mode helps resolve this issue.
  2. Delete the subnet IP address from StoreFront NetScaler Gateway configuration when internally browsing StoreFront site.

    User-added image


Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support