Delegated Directory Claim Factory Test

A claim is a statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by a security token service (STS).

Users accessing StoreFront via the NetScaler Gateway can login using a passcode. This passcode is generated by a security token (i.e., claim), which is issued by a claims provider such as ADFS (Active Directory Federation Service server). Once the NetScaler Gateway validates the claim using Active Directory, the user request is transmitted to the trusted StoreFront server. StoreFront then contacts the Federated Authentication Service (FAS) to assert the claimed user identity. If FAS asserts the user identity, then it grants a ticket that allows a single XenApp or XenDesktop session to authenticate with a certificate for that session.


Figure 1 : Federated Authentication Service integrating with a Microsoft Certification Authority and providing support services to StoreFront and XenApp and XenDesktop Virtual Delivery Agents (VDAs)

If this claims-based authentication process takes too long, users logging into their stores via the NetScaler Gateway may be denied timely access to their stores. This can adversely impact user experience with StoreFront. To avoid this, administrators can periodically run the Delegated Directory Claim Factory test. This test tracks the claims-based authentication process and alerts administrators to probable delays in the process. This enables administrators to investigate and diagnose the reasons for the delay and promptly initiate measures to pre-empt it.

Target of the test: A Citrix StoreFront server

Agent deploying the test : An internal/remote agent

Outputs of the test : One set of results for the Citrix Storefront server being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.


The host for which the test is to be configured.


The port number at which the specified HOST listens to. By default, this is 443.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Create claim calls

Indicates the number of claim-based logins attempted since the last measurement period.



Create claim average time

Indicates the average time taken to authenticate the claim-based logins.


A consistent rise in the value of this measure could indicate an authentication delay.