Users are randomly receiving a message "Username or password is incorrect" when they attempt to connect to their VDIs using Citrix Federated Authentication Service (FAS)

• In the Application Event Logs on the VDA Event ID 106 of Source Citrix.Authentication.Federation can be seen, containing the details of the affected user.
• Filtering the Security Event log on the VDA for Event ID 4265 (Logon Failure), There is an Logon Failure event that occurred within a few seconds of the Event ID 106.
• In the "general" pane of the Event ID 4265 Logon Failure, under the phrase: "Account For Which Logon Failed": The "Account Name" field contained the affected user's UPN
• Under "Failure Information:" we saw the following:

Failure information:
    Failure Reason: An Error Occurred During Logon
    Status: 0xC000006D
    Sub Status: 0xC000040E

Staus Error Code:0xc000006D = Bad username or password

Substatus Error Code: 0xc000040e = STATUS_KDC_CERT_EXPIRED, This indicates at least one of the domain controllers' "Kerberos Authentication" certificates has expired. 

1. RDP to each the Domain Controller
2. Start certlm.msc to launch the local computer certificate management console.
3. Navigate to Personal > Certificates
4. The customer found that that some of the certificates with the "Intended purposes" of : "Domain Controller", "Domain Controller Authentication", "Smart Card Logon" and "Kerberos Authentication" had expired, the expiry time coincided with when user's started reporting the error.
5. Recreating the expired certificates on DCs and the issue was no longer seen on the test VDA.

These certs should Auto enrol when they expire, but we found that the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies -> Certificates Services Client – Auto-Enrolment policy was not present. 

Users are receiving a message "Username or password is incorrect" when they attempt to connect to their VDIs using Citrix Federated Authentication Service (FAS)