You have a Multi Domain environment. Child domain users get error "You have not been granted access to this published application" while launching Application via WebInterface or Storefront.

The issue happens when you add a User Group from one child domain to App's Limit Visibility option and a group with same name exists in another child or parent domain.

Example:

• You have a Parent domain named A.com.
• You have two Child Domains B.com and C.com.
• You have a User Group  with same name XXX in both the child domains.
• You publish an application and add the User Group XXX from Child Domain A.com to Limit Visibility so that only users belonging to XXX group in domain A.com can access that application.
• However, when the user's from Child Domain A.com launch the application they get an error "You have not been granted access to this published application"

Currently a Private fix is available for XenApp/XenDesktop 7.12 and 7.13 under LC7566.

Update: The fix LC7566 is fixed in 7.15 LTSR 

Reference: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/whats-new/fixed-issues.html

WORKAROUNDS

1. You can  change the group names in child or parent domain so that the group names in both the domains to not match.

Or

2. Add the users explicitly to "Limit Visibility" instead of the Group.

Or

3.Create a universal group in child domain and add domain users to that group, then create one local group in primary domain and add universal group to it.
 

Problem Cause

We obtained the User Account name from the Group SID (using LookupAccountSid)and then did a reverse look up using LookupAccountName without the fully qualified account name specified to get the Group SID. In this case we got the SID of the wrong user group belonging to other Child Domain because we just passed the Account name and not FQDN<domain>\<name> to LookupAccountName.

Hence, when there are groups with the same name in multiple domains, the GROUP SID returned during reverse lookup could be any one of those two groups with same name in different domains.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379166(v=vs.85).aspx
The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379159(v=vs.85).aspx
The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.

In this case, the LookupAccountName function attempts to find a SID for the specified name by first checking a list of well-known SIDs. If the name does not correspond to a well-known SID, the function checks built-in and administratively defined local accounts. Next, the function checks the primary domain. If the name is not found there, trusted domains are checked.

Use fully qualified account names (for example, domain_name\user_name) instead of isolated names (for example, user_name). Fully qualified names are unambiguous and provide better performance when the lookup is performed. This function also supports fully qualified DNS names (for example, example.example.com\user_name) and user principal names (UPN) (for example, someone@example.com).