Receiver Logon Failed to Storefront -- Web Works Fine

[Jonathan Clark1709155079]

Running into an interesting problem.  NetScaler 12.1 49.23 with Storefront 3.12.4000.  End-users can login perfectly fine using the Web or Receiver for Windows.  Whenever end-users attempt to logon with Receiver for iOS we get an error on the storefront log saying: An authentication attempt was made for user: <USERNAME> that resulted in: Failed (Windows Error Code: 1326).  Sometimes it will give additional details as: Password expiry information was requested but none was returned.  The security event log shows a corresponding entry showing: 

 

An account failed to log on.

Subject:
    Security ID:        NETWORK SERVICE
    Account Name:        <SERVERNAME>$
    Account Domain:        <DOMAIN>
    Logon ID:        0x3E4

Logon Type:            8

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        <USERNAME>
    Account Domain:        <DOMAIN>

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xC000006D
    Sub Status:        0xC000006A

Process Information:
    Caller Process ID:    0x15fc
    Caller Process Name:    C:\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe

Network Information:
    Workstation Name:    <SERVERNAME>
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

 

I have tried swapping the Storefront in NetScaler Authentication --> Password Validation from Active Directory to Delivery Controller  but that just swaps the error messages to the Delivery Controller instead of the Storefront server.  I have also tried disabling Password Expiration notifications in the Web.conf and in the Storefront interface.  This was working just a few days ago.  We have not made any changes to the NS or Storefront so we are baffled as to why this occurs.  If end-users come internal to the network they can connect to Storefront directly without NetScaler it works.  I don't understand why it was working and then just stopped working. 

 

One item to note, we are using RFWebUI theme in NetScaler.  I have not tried yet not using that theme. 

 

Any help would be appreciated. 

 

Thanks

Edited June 12, 2019 by jonathanbclark1
added RFWEBUI Theme details

[Aseem Shaikh]

Hi,

 

Looks like you are facing something very similar as this one:
https://discussions.citrix.com/topic/381394-citrixagbasic-single-sign-on-failed-because-the-credentials-failed-verification-with-reason-failed/ 

Let me know if it works for you.

 

Cheers,

Aseem

[Jonathan Clark1709155079]

Turns out there was a traffic policy bound to the Gateway vServer for Single Sign On.  I don't know why it was there or why it didn't effect anything except for the iOS logins.  As soon as I removed the traffic policy everything worked.