Configuring Citrix Receiver email based discovery

Rather than users needing to know your StoreFront or NetScaler Gateway URLs you can provide them with the option to configure Citrix Receiver using their email address. This can work for both outside and inside the corporate LAN either connection directly to StoreFront when inside the corporate network or through NetScaler Gateway when outside.

I like this method of delivery especially for users connecting through NetScaler Gateway because Internet Explorer, Microsoft Edge, Firefox etc. can often be the point of failure when users try and launch an Citrix session often because the browser may need extra configuration such as the NetScaler Gateway URL being added to the Trusted Sites Zone or the Receiver add-on needing set to “Always Activate” on Firefox.

Internal Configuration:

We basically need two things to get this working internally:

  • An SRV record within DNS.
  • An internal certificate for StoreFront with a subject alternative name.

Firstly open DNS and create the SRV record. Right-click your primary domain zone and click Other New Records…Choose Service Location (SRV) and click Create Record. Enter the following:

  • Service = _citrixreceiver
  • Protocol = _tcp
  • Port number = 443
  • Host offering this service = StoreFront server FQDN or load balanced address.

Click OK.

Next you need to issue a certificate to your StoreFront servers that has a alternative name of If you don’t users will receive a prompt such as below when configuring Citrix Receiver with their email address.The subject or common name should be the FQDN of your StoreFront server, or load balanced address. You should have Subject Alternative Names for the StoreFront/load balanced FQDN and Now when adding an account, enter your corporate email address. If successful you’ll be prompted for a username and password, then your resources should enumerate. External Configuration

We basically need two things to get this working externally:

  • An SRV record configured on your external domain DNS.
  • An external certificate for NetScaler Gateway with a subject alternative name. You bind this certificate to your NetScaler Gateway Virtual Server.

No other configuration is required on NetScaler v11.1. There was a requirement to configure an Account Services Address and enable clientless access etc. on older versions of NetScaler. If you are running older versions and cannot get email based discovery to work refer to

Leave a Reply