Troubleshooting Authentication Issues with StoreFront 3.15

Rewriting post to make this more concise:  Any assistance is appreciated.

Configuration:  Netscaler MPX 9700’s pointing to StoreFront 3.15 VM’s (Windows 2012), pointing to XenApp 6.5.

Issue:  Authentication failure when trying to login thru both Netscaler and Storefront.  Narrowed down via troubleshooting, seems the StoreFront is not passing traffic to domain for authentication.

What is logged in Event Logs on StoreFront Server:
  • Security Log:  
  • Event ID 4625            Unknown user name or bad password.
  • Citrix Delivery Services Log:       
  • An authentication attempt was made for user: testuser that resulted in: Failed (Windows Error Code: 1326)  Password expiry information was requested but none was returned.
  • StoreFront Splash error when accessing URL:  "Incorrect Username or Password"

DebugView log:  
  • An authentication attempt was made for user: testuser resulting in: Failed (Windows Error: 1326)      
  • Citrix.DeliveryServices.Explicit Warning: 0 :    
  • Expiry information was requested, but none was returned  
  • Citrix.DeliveryServices.Localisation Verbose: 0 :  
  • ResXNamespacedResourceManager found value 'Incorrect user name or password' for key 'ExplicitCore:Failed'
 
   
Verified:
  • I can telnet the Domain Controller's/Active Directory from StoreFront over port 389, success.
  • Loopback to onUsingHttp is set in StoreFront.
  • None of these attempts are logged on the Domain Controller itself.


Any additional thoughts on how to troubleshoot this?

Thanks in advance.
jnordengAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sam JacobsDirector of Technology Development, IPMCommented:
Very strange ... the StoreFront server is a member of the domain, right?
Is Windows Firewall on? If so, see if it helps if you turn it off.
Was any special hardening done to the server?
jnordengAuthor Commented:
Yes, Storefront server is part of Domain A, Users login via Domain B where there users are nested in AD groups of Domain C.  The thing is we have another set of Netscaler's and Storefront servers with the same architecture and domain trusts and this one works.  However; they are in different subnets.

Window's firewall is off.  No real special hardening, disabled UAC, and Windows updates, other than that, followed the std setup docs. TLS settings match, etc.

I find it interesting I can't find these login attempts on the Domain Controller and have verified it hasn't or I would have been locked out multiple times already.  So, therefore, trying to understand the mechanism or if there is anything special in the AD auth call so I can verify that's working as expected as I can telnet to them with success.
Sam JacobsDirector of Technology Development, IPMCommented:
I doubt the subnets would make a difference as long as the trusts are set up the same.
The fact that you're not seeing the login attempts on the DC seems to signify either a routing or firewall issues (despite the fact that you can TELNET to it).
Can you see the authentication attempt in the firewall logs?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jnordengAuthor Commented:
I'm working with the network guy next week as I don't have visibility into the firewall logs.  But wanted to see if I could get something concrete there before i have his time to ensure it gets resolved.
Sam JacobsDirector of Technology Development, IPMCommented:
I've found out the hard way that some firewalls are application-aware, and won't allow traffic through unless the application has been defined to it.
jnordengAuthor Commented:
True, thanks though.  Didn't know if anyone had any other tricks to identify the path it's taking.  Trying to do a wirecapture on the StoreFront box for more info, so hopefully I can find something.

Also, still learning the Netscaler/Storefront in how they work, so appreciate you taking the time.
Sam JacobsDirector of Technology Development, IPMCommented:
While I can't help much with your firewall, please let me know if you have any NetScaler/StoreFront questions.
You might find this Citrix KB article helpful in understanding the NetScaler => StoreFront => application communication data flow:
 https://support.citrix.com/article/CTX227054
jnordengAuthor Commented:
Thanks for talking this through with me.  While setting up my XenApp 7.15 environment, uncovered what I missed in the config.  Under Authentication Methods, the working cluster had the password validation set to Delivery Controllers, my non-working ones had Active Directory.
 Something I overlooked I guess in these StoreFront servers to point to XenApp 6.5 as we must have changed this when getting the working cluster to work.

I can now authenticate after setting the non-working ones to Delivery Controllers.

Now onto the other one that isn't working - always something ;)  One step closer today though :)
jnordengAuthor Commented:
Under Authentication Methods, the working cluster had the password validation set to Delivery Controllers, my non-working ones had Active Directory.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix Storefront

From novice to tech pro — start learning today.