User has the password expired or "set at next logon" flag is set.

However, user is able to login to workspace due to the cached credentials being used.

When user launches  an app they are prompted to change their AD password. Once this is complete, message to confirm password change is successful, the session just hangs and logon never completes.

User will launch applications after the password reset but incomplete logon session will still be present.

Administrator needs to manually kill the processes on the server to release that session. 

This is a known issue.

Citrix recommends to change the password from workspace and not from the application launch.

Problem Cause

Citrix Federated Authentication service does not support change expired password at logon time