StoreFront Logon Error: "Incorrect user name or password"

StoreFront Logon Error: "Incorrect user name or password"

book

Article ID: CTX132647

calendar_today

Updated On:

Description

Domain users are unable to logon to StoreFront and receive an error message: “Incorrect user name or password” with Event ID: 4625 and Failure Reason: “The user has not been granted the requested logon type at this machine”.

The error can be seen on Citrix Receiver and on the StoreFront StoreWeb site.

User-added image

User-added image

Note: Domain Administrators are not affected by the issue.

User-added image

Event ID: 4625

Failure Reason: The user has not been granted the requested logon type at this machine.

Enabling StoreFront Traces

In certain instances, no errors are logged inside Event logs > Security (or any other logs such as: system, application, Citrix Delivery Services). If this is the case, enable the StoreFront traces.

To enable tracing on the StoreFront Server, complete the following steps:

  1. Using an account with local administrator permissions on the Receiver StoreFront server, start the Windows PowerShell.

  2. On the command prompt, type the following commands:

    Add-PSSnapin Citrix.DeliveryServices.Framework.Commands
    Set-DSTraceLevel -All -TraceLevel Verbose

When tracing is enabled, the tracing information is written to files in the \Admin\Trace\ directory of the Receiver StoreFront installation, typically located at C:\Program Files\Citrix\Receiver Storefront\.

Review the Authentication Service xxxxxx.txt file for the following error:

“Citrix.DeliveryServices.ExplicitCore Information: 0 : Logon failed for user: domain\username Error code: 1385”

If this error occurs, apply the steps mentioned in Solution section.

Disabling StoreFront Traces

To disable tracing on the StoreFront Server, type the following commands:

Add-PSSnapin Citrix.DeliveryServices.Framework.Commands

Set-DSTraceLevel -All -TraceLevel Off

Because large amount of data can be potentially generated, tracing can significantly impact the performance of Receiver StoreFront. Citrix recommends disabling tracing when this option is not required for troubleshooting.

Resolution

Solution 1

Add Domain users to the Allow log on locally policy on the StoreFront server.

Complete the following steps to add the domain user:

  1. On the Start menu, select Run.

  2. Type gpedit.msc and click OK.

    The Local Policy Editor window opens.

  3. Open Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  4. On Allow log on locally option, right-click and select Properties.

    The Allow log on Properties window opens.

  5. Click Add User or Group….

    The Select Users, Computers, … window opens.

    User-added image

  6. Type the users and/or groups.

  7. Click OK to save the data.

    User-added image

    The user will be added.

Solution 2

Complete the following steps to fix the issue:

  1. Open the authentication service web.config located in C:\inetpub\wwwroot\Citrix\Authentication\web.config.

  2.  In the config file, search for the following configuration:

<explicitBL authenticator="win32Authenticator"
hideDomainField="true"
allowUserPasswordChange="Never"
allowZeroLengthPassword="false"
showPasswordExpiryWarning="Windows"
passwordExpiryWarningPeriod="10"
requireAccountSIDs="true">

  1. Change the value for showPasswordExpiryWarning="Windows" to showPasswordExpiryWarning="Never" and save the changes.

Problem Cause

User access was removed from the Allow log on locally policy on the StoreFront server.

Issue/Introduction

This article defines an authentication issue that can occur because authentication is now taking place at the StoreFront server instead of the Citrix XML server.

Additional Information

Powered by Wolken Software