Troubleshooting Authentication Issues with StoreFront 3.15

jnordeng used Ask the Experts™
Rewriting post to make this more concise:  Any assistance is appreciated.

Configuration:  Netscaler MPX 9700’s pointing to StoreFront 3.15 VM’s (Windows 2012), pointing to XenApp 6.5.

Issue:  Authentication failure when trying to login thru both Netscaler and Storefront.  Narrowed down via troubleshooting, seems the StoreFront is not passing traffic to domain for authentication.

What is logged in Event Logs on StoreFront Server:
  • Security Log:  
  • Event ID 4625            Unknown user name or bad password.
  • Citrix Delivery Services Log:       
  • An authentication attempt was made for user: testuser that resulted in: Failed (Windows Error Code: 1326)  Password expiry information was requested but none was returned.
  • StoreFront Splash error when accessing URL:  "Incorrect Username or Password"

DebugView log:  
  • An authentication attempt was made for user: testuser resulting in: Failed (Windows Error: 1326)      
  • Citrix.DeliveryServices.Explicit Warning: 0 :    
  • Expiry information was requested, but none was returned  
  • Citrix.DeliveryServices.Localisation Verbose: 0 :  
  • ResXNamespacedResourceManager found value 'Incorrect user name or password' for key 'ExplicitCore:Failed'
  • I can telnet the Domain Controller's/Active Directory from StoreFront over port 389, success.
  • Loopback to onUsingHttp is set in StoreFront.
  • None of these attempts are logged on the Domain Controller itself.

Any additional thoughts on how to troubleshoot this?

Thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sam JacobsDirector of Technology Development, IPM

Very strange ... the StoreFront server is a member of the domain, right?
Is Windows Firewall on? If so, see if it helps if you turn it off.
Was any special hardening done to the server?


Yes, Storefront server is part of Domain A, Users login via Domain B where there users are nested in AD groups of Domain C.  The thing is we have another set of Netscaler's and Storefront servers with the same architecture and domain trusts and this one works.  However; they are in different subnets.

Window's firewall is off.  No real special hardening, disabled UAC, and Windows updates, other than that, followed the std setup docs. TLS settings match, etc.

I find it interesting I can't find these login attempts on the Domain Controller and have verified it hasn't or I would have been locked out multiple times already.  So, therefore, trying to understand the mechanism or if there is anything special in the AD auth call so I can verify that's working as expected as I can telnet to them with success.
Sam JacobsDirector of Technology Development, IPM

I doubt the subnets would make a difference as long as the trusts are set up the same.
The fact that you're not seeing the login attempts on the DC seems to signify either a routing or firewall issues (despite the fact that you can TELNET to it).
Can you see the authentication attempt in the firewall logs?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


I'm working with the network guy next week as I don't have visibility into the firewall logs.  But wanted to see if I could get something concrete there before i have his time to ensure it gets resolved.
Sam JacobsDirector of Technology Development, IPM

I've found out the hard way that some firewalls are application-aware, and won't allow traffic through unless the application has been defined to it.


True, thanks though.  Didn't know if anyone had any other tricks to identify the path it's taking.  Trying to do a wirecapture on the StoreFront box for more info, so hopefully I can find something.

Also, still learning the Netscaler/Storefront in how they work, so appreciate you taking the time.
Sam JacobsDirector of Technology Development, IPM

While I can't help much with your firewall, please let me know if you have any NetScaler/StoreFront questions.
You might find this Citrix KB article helpful in understanding the NetScaler => StoreFront => application communication data flow:


Thanks for talking this through with me.  While setting up my XenApp 7.15 environment, uncovered what I missed in the config.  Under Authentication Methods, the working cluster had the password validation set to Delivery Controllers, my non-working ones had Active Directory.
 Something I overlooked I guess in these StoreFront servers to point to XenApp 6.5 as we must have changed this when getting the working cluster to work.

I can now authenticate after setting the non-working ones to Delivery Controllers.

Now onto the other one that isn't working - always something ;)  One step closer today though :)
Under Authentication Methods, the working cluster had the password validation set to Delivery Controllers, my non-working ones had Active Directory.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial