While trying to connect to the server console from outside of the PVS server domain you may see an error:

 "Unable to connect to the Domain Controller (if any) or the default rootDSE. Error code: 21071225, message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), provider:."

The PVS Server may have an existing registry key that was used to workaround this matter previously, HKLM\system\currentcontrolset\control\lsa \"SpnDowngradeProtection"

As of the April Microsoft Updates this registry key no longer allows the NTLM authentication to proceed, specifically updates:

CVE-2024-26248

CVE-2024-26183

1.   You can create a user account in the same domain as the PVS server in order to "workaround" this error.  

2.   Uninstalling the updates referenced above allows the console user to connect. 

A private fix for PVS 2203 CU3 is available for testing. This fix will be referenced as CVADHELP-25218 in the PVS product docs.

Note: The private fix is available only for PVS 2203 CU3 and for all other platforms, the next public release / CU release as specified below will include the code change implemented in this private fix.

1912-CU10
2203-CU6
2401-CU1
2407

Problem Cause

The error occurs because Windows uses a service principle name, SPN, which it believes is malformed.  This results in Kerberos failing and a downgrade to NTLM authentication being rejected.

https://support.citrix.com/article/CTX472962/error-connecting-to-pvs-farm-with-credentials-from-trusted-domain