When a client connects to Citrix StoreFront using a browser, they must authenticate using Progress Kemp ESP front-end authentication. This is handled in the StoreFront Browser Auth ESP Virtual Service.

Begin by navigating to Certificates & Security > LDAP Configuration in the LoadMaster UI. Create a new LDAP endpoint by typing a valid name and clicking Add. No special characters or spaces are allowed. Ensure to note the name of the LDAP endpoint because this is required in the next step. Specify the parameters for the LDAP endpoint. For further details on how to configure an LDAP endpoint, refer to the following Knowledge Base article: How to configure an LDAP endpoint.

After configuring the LDAP endpoint, go to Virtual Services > Manage SSO and add a new client-side configuration with an appropriate name.

Then, select the LDAP Endpoint as configured previously and the Domain/Realm as per your Domain Controller settings.

Note: Idle timeout only functions correctly on Virtual Apps & Desktops 7 StoreFront 1912 LTS or later. Idle timeout should be set to a value greater than your Citrix StoreFront where default is 20 minutes. For example, in the screenshot above the idle timeout is set to 1800 seconds (30 minutes). When the idle timeout expires on StoreFront, it sends a logoff string which the LoadMaster will detect and clear the session.

If you are unable to upgrade to StoreFront 1912 set the idle timeout to a full working day on both the LoadMaster and "Sessionstate" on your StoreFront servers (refer to the Appendix for further details on this) otherwise clients must refresh their browser to re-authenticate before launching an application.