After migrating the VDAs to another site, we see that the VDAs are unregistered.

In the CDF logs, we see the below exception,

Error,"Error occurred when attempting to connect to endpoint at address http://XXXXX.XXXX.com:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

Error,"ControllerConnectionFactory:AttemptConnection: Inner exception is System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

Error,"RegistrationManager.AttemptRegistrationWithSingleDdc: Failed to register with http://XXXXX.XXXX.com:80/Citrix/CdsController/IRegistrar. Exception:Citrix.Cds.BrokerAgent.ConnectionFailedException, Error occurred when attempting to connect to endpoint at address http://XXXXX.XXXX.com:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. 

The applied settings of the group policies which linked to the OU where the VDA and DDC resides restricts the communication between the VDA and the DDC.

1. Check if CIS-based hardening has been applied on the DDCs.

Hardening may remove certain encryption types from Windows security policy, such as:

DES_CBC_CRC
DES_CBC_MD5
RC4_HMAC_MD5

Navigate to:
Computer Configuration > Windows Settings > Security Settings > Security Options

Locate:
Network Security: Configure encryption types allowed for Kerberos

Confirm the above encryption is present and enabled, If missing, add it to the allowed encryption types. Follow below steps to enable

- Perform these steps on all relevant Delivery Controllers.
Changes may require a Group Policy update or system restart to take effect.

1. Open Local Group Policy Editor:

Press Win + R, type gpedit.msc, and press Enter.

Navigate to:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Locate:
Network Security: Configure encryption types allowed for Kerberos

Review the list of allowed encryption types. If RC4_HMAC_MD5, DES_CBC_CRC
DES_CBC_MD5 is missing, proceed to enable it.

Step 2: Enable RC4_HMAC_MD5

Double-click Network Security: Configure encryption types allowed for Kerberos.
Select Define these policy settings.
Check the box for:
RC4_HMAC_MD5, DES_CBC_CRC, DES_CBC_MD5

Apply and save the changes.

Step 3: Apply Group Policy

Run the following command in Command Prompt (Admin):
BAT gpupdate /forceShow more lines

This ensures the updated policy is applied immediately.

Step 4: Validate

Use PowerShell to confirm Kerberos encryption types:
PowerShell Get-ADComputer -Identity <DDCName> -Properties msDS-SupportedEncryptionTypes

Ensure RC4_HMAC_MD5, DES_CBC_CRC, DES_CBC_MD5 is listed.

Post migration of the citrix VDAs to another site, the VDAs are not getting registered