After enabling MFA and FAS  users may be unable to sign to Storefront published app with Anonymous account in other domain, with error "Incorrect Pin"

Scenario:

• You may have Storefront, FAS (Federated Authentication Service) and VDAs in Domain A and there is another Domain B having StoreFront and its own VDAs
• Domain A and Domain B domains are not Federated and they do not have trust between them
• StoreFront in Domain B allows anonymous logon
• There is no FAS in Domain B
• User launches the IE based App (Domain B), which opens up external URL of StoreFront located in Domain B (Double hop)
• When the user launches the app from StoreFront server in Domain B, it fails to logon with "incorrect pin"

 

Apply the Citrix Receiver or Workspace app policy on  Application VDA where IE is launched in Domain A

Use Citrix Receiver for Windows Group Policy template files
•    Add Citrix Receiver for Windows template files to the Local Group Policy Editor. For more information, see Configure Receiver with the Group Policy Object template. Be sure to use the ADM template of the same version as the Receiver or Citrix Workspace App on the Client.

Follow the below steps to configure the policy
1.    Open Local Group Policy Editor. Navigate to Citrix Receiver > User authentication.
2.    Open the Local user name password policy.
3.    Select Disable.
4.    Click Apply and OK.

 

---

Problem Cause

When an user logs on using FAS, Windows OS on the 1st hop Domain A, VDA handles it like a virtual smartcard logon/Certificate - FAS in our scenario.
Therefore, if the 2nd hop VDA is provided through another StoreFront ( in Domain B) using anonymous authentication instead of FAS, then the 2nd hop in Domain B - VDA doesn't accept the FAS - Certificate based credential. 
As a result, authentication fails on the 2nd hop VDA.