When a user launches a published application they see Access denied error during Windows logon. Problem does not happen for all users and happens only for a subset of users.
To resolve the issue, create a new REG_DWORD at the following registry path on the server to increase the Kerberos MaxTokenSize:
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: MaxTokenSize
Type: REG_DWORD
Value: 48000 (Decimal)
Note: After modifying the registry, restart the server.
The user launching the published application is member of a large number of groups.
https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/
Thread: "Access is Denied" for one user in Xenapp 6
How to use Group Policy to add the MaxTokenSize registry entry to multiple computers