"Access is Denied" error pop-up shown when the user launches an ICA session and the logon is in progress.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

The problem was resolved after setting the following registry key to default value on all the Domain Controllers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Name: RestrictedRemoteSAM 
Type: REG_SZ
Value: O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;AU)

Storefront logs the below event
Failed to get user data to determine password expiry, error: 1727 from server <domain controller name>

More information about this key is documented in the following article:

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Note: The value for the registry key was taken from a known working Domain controller where this policy was not applied. Customers are advised to consult with Microsoft for determining the appropriate default value for the registry key.

---

Problem Cause

Problem started after customer's AD team changed the Default Domain Controller policy Network access: Restrict clients allowed to make remote SAM calls. Even after reverting the policy, they were still seeing the issue.