2026-02-26 - citrix vad 2507 and the infinite sign-in

Another thing we've learned at work.

We have a couple of environments at work where we're in the first stages of testing an upgrade to Citrix Virtual Apps and Desktops 2507. They were installed as new Delivery Controllers, completely separate to the old environment; one with StoreFront on the same server, one with StoreFront on a dfferent server to the Delivery Controller. New StoreFront was pointed to using the existing Netscaler for each environment.

The engineer senior to us copied the configuration over, Both environments exhibited the exact same failure condition - they'd accept credentials fine, but then the page would just load infinitely. Occasionally with restarting services and trying again in a private browser window, you could get error 43531, but it still didn't work.

The Fix

If you're also experiencing this, check the configuration for the Secure Ticket Authority (STA) in the StoreFront management console > StoreFront > Stores > (your store name) > Manage Citrix Gateways > (your Netscaler) > Edit > Secure Ticket Authority. In the case of both of these servers, it was set to https://SERVERNAME, rather than https://SERVERNAME.domain.private. Changing it to the FQDN allowed for authentication to work properly for these environments, and for test users to be presented with their list of apps.

Alternatively, in PowerShell, use Get-STFRoamingGateway and check the value of the SecureTicketAuthorityURLs property. Can then use Set-STFRoamingGateway (following Citrix's documentation there) to correct it.... though if not doing this in bulk, the GUI is probably easier.

As always, it was DNS.