The article summarizes on how to resolve the Secure Hub authentication loop with Pin and symptoms would be like below:

•  Secure Hub prompts user about connection being expired and asks for re-authentication with PIN.
• After PIN has been given, Secure Hub prompts for PIN again.
• Only workaround is to re-enroll the device.
• Another workaround is to input the wrong pin and the follow the link.

• On the NetScaler
• Go to NetScaler Gateway-->Global settings-->Change authentication AAA settings and disable this setting there(Enable Enhanced Authentication Feedback)

Problem Cause

Feb 12 08:35:00 iPhone Secure Hub[1070] <Notice>: [<CAMAUTH>:ERROR:com.apple.root.default-qos:f03]-:+[CAMAgeeLogon extractAuthenticationResultFromHttpResponse:forRequestURL:]: The gateway login response contained error cookie 'NSC_VPNERR=4007' which means 'Incorrect (bad format) password.'. There's no logic to recover from this case, will abort auth.

Feb 12 08:35:00 iPhone Secure Hub[1070] <Notice>: [<CAMAUTH>:INFO:com.apple.root.default-qos:f03]-:-[CAMAsyncHTTPImpl private_sendRequestForAM:storeIDForCertAuth:withSession:]: HttpRequest#10 GET https://xxx/cgi/logout

aaad.debug:

 /home/build/rs_111_56_9_RTM/usr.src/netscaler/aaad/ldap_common.c[233]: ns_show_        ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903D9, comment:         AcceptSecurityContext error, data 52e, v2580>>

Mon Feb 12 08:53:24 2018

 /home/build/rs_111_56_9_RTM/usr.src/netscaler/aaad/ldap_common.c[418]: ns_ldap_        check_result LDAP action failed (error 49): Invalid credentials

Network trace shows wrong (old) password.