This article describes few reasons for the error "Incorrect credentials" and how to troubleshoot them

a) Below error indicates that the user might be typing incorrect credentials or typing sAMAccountName instead of UserPrincipalName (vice versa).

,<X1_NETWORKING>,ERROR (2),"request with id 5 failed with httpResponse code 401 and errorMessage : Error Domain=com.alamofire.error.serialization.response Code=-1011 "Request failed:
unauthorized (401)"
b) Below error indicates that the user account might be disabled in the Active Directory or the service account used in XenMobile’s LDAP configuration is disabled.
" ",<MDM>,ERROR (2),"handleServerError response 401 with title and detail text Secure Hub Please check your credentials. You may have mistyped them.",Active,com.apple.main-thread,c07,Worx

c) Below error indicates that the user account might be disabled in the XenMobile
| 6F37B731FE87489C | WARN | http-nio-10080-exec-16 | com.citrix.xms.oca.imil.service.impl.AuthenticationServiceImpl | User is locked. Try again after few minutes.
 WARN | http-nio-10080-exec-16 | com.sparus.nps.DefaultAuthenticationImpl | Authentication failed for 'user@citrix.local': com.citrix.xms.oca.imil.exception.IMILException: User is locked. Try again after few minutes.

d) In a multi-domain environment, below error indicates that the user is entering sAMAccountName instead of UserPrincipalName.  | 567babf76f74acb0 | INFO | http-nio-10080-exec-18 |  
com.citrix.cg.bo.GenericUserMgr | GC context is enabled for domain citrix.local
 | 567babf76f74acb0 | WARN | http-nio-10080-exec-18 | com.sparus.nps.DefaultAuthenticationImpl | Authentication failed for 'user1': The user user1 does not exist.
org.apache.jetspeed.security.SecurityException: The user user1 does not exist.

e) Below error in the XenMobile debug logs indicates that there could be communication issue between the LDAP (Port 389/636) and the Global Catalog (Port 3268/3269).

WARN | http-nio-10080-exec-11 | com.sparus.nps.DefaultAuthenticationImpl | Authentication failed for 'user1@citrixnew.local': com.citrix.xms.oca.imil.exception.IMILException: com.citrix.xms.oca.imil.exception.IMILException: Could not refreshUser
 

• Ensure correct credentials are used for enrollment.
•  Enable the user account in Active Directory Users and Computers.
•  Ensure user enters credentials (sAMAccountName instead of UserPrincipalName) as per the LDAP Configuration in the XenMobile Server and the NetScaler Gateway configuration. (References: LDAP Configuration in XenMobile: http://docs.citrix.com/en-us/xenmobile/10/xmob-ldap-configuration.html LDAP Configuration in NetScaler: http://support.citrix.com/article/CTX108876)
•  To update the LDAP configuration with the IP address of a Domain Controller in the XenMobile Server Console, navigate to XenMobile Server Console -->Settings--> LDAP ---> Edit --> update the correct IP address for domain controller ---> Save.
• If the configuration gets saved without any error that confirms the connectivity between the XenMobile Server and the Domain Controller is operational.
•  If the user account is locked by the XenMobile. We need to wait till the lockout time is over and then try again with the correct credentials.
• To change the lockout configuration, navigate to the XenMobile Server Console ---> Settings -->LDAP -->Edit - XenMobile lockout limit and XenMobile lockout time (once settings are changed, save the settings)
•  For multi-domain environment, user needs to enter UserPrincipalName instead of sAMAccountName for authentication.
•  To configure the Global Catalog under the XenMobile LDAP configuration, navigate to XenMobile Server Console --->Login --> Settings -->LDAP, provide password --> Add 3268 under Port field --> Save.