If you are using the Federation Authentication Service (FAS) for 1st hop authentication, the 2nd hop session might stop at "Please wait for Local Session Manager" or get an error "The user name or password is incorrect. Try again".

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Enable FAS authentication on both the 1st and 2nd hops. Or disable FAS on the 1st hop.

 

Troubleshoot

How to check whether FAS is enabled with Event Viewer
Check if any FAS related events are written in the event log

How to check whether FAS is enabled on StoreFront
Execute the following Powershell commnads on Storefront

> Get-Module "citrix.storefront. *" -ListAvailable | Import-Module
> $store = Get-STFStoreService -VirtualPath "/citrix/YOUR_STORE_NAME"
> Get-STFStoreLaunchOptions -StoreService $store

* Enter the actual store name for "YOUR_STORE_NAME"

Example:

SetNoLoadBiasFlag: False
AddressResolutionType: DnsPort
RequestICAClientSecureChannel: DetectAnyCiphers
IgnoreClientProvidedClientAddress: False
OverlayAutoLoginCredentialsWithTicket: False
OverrideIcaClientName: False
RequireLaunchReference: True
AllowFontSmoothing: True
ShowDesktopViewer: False
AllowSpecialFolderRedirection: False
ClientProxyPolicy: {}
RoutingPolicy: Citrix.StoreFront.Model.Store.RoutingPolicy
VdaLogonDataProviderName:

* In this case, VdaLogonDataProviderName is blank. Thus, FAS is not enabled.

How to enable or disable FAS on StoreFront
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service.html#enable-the-federated-authentication-service-plug-in-on-a-storefront-store

---

Problem Cause

When an user logged on using FAS, Windows OS on the 1st hop VDA handles it like a smartcard logon.
Therefore, if the 2nd hop VDA is provided through another StoreFront using path-through authentication instead of FAS, then the 2nd hop VDA expects a smartcard logon.
As a result, pass-through authentication fails on the 2nd hop VDA.