• Users are connecting from 2 different domains: Domain1 and Domain2 to a CVAD site, both domains are in the same forest.
• The Storefront Servers are in Domain1, users from Domain1 do not have issues.
• Users from Domain2 see the error "Cannot complete your request" after entering their credentials.
• The "Citrix Delivery Services" event logs on the storefront server show the Error with Event ID: 100: Containing the following txt: "Failed to get user data to determine password expiry: access denied to server: DC1.DOMAIN2.MYFOREST.COM. The Citrix Default Domain Services Windows service may require to be run with a service account."
• Ensured that the service account has the required permissions to query users.
• Cross domain authentication is enabled for both the domains.
• There is a Two-Way trust between both domains.
• Confirmed that there is connectivity between domain controllers for Domain2 and the Storefront servers on ports 88, 389 and 636 and 3268.

Storefront was attempting to query the user's AD account details and this was being blocked by a firewall.

Enable RPC Communication port 135 and dynamic ports 49151-65535 between the Storefront servers and the Domain Controllers of Domain2.

This is required for password expiration checks and other authentication processes.

Users receive a "Cannot complete your request" message and the Storefront "Citrix Delivery Services" event logs show EventID: 100 - "Failed to get user data to determine password expiry: access denied to server: The Citrix Default Domain Services Windows service may require to be run with a service account" when users from a different domain in the same Forest attempt to authenticate on Storefront.

Tech Paper: Communication Ports Used by Citrix Technologies: https://community.citrix.com/tech-zone/build/tech-papers/citrix-communication-ports/#wiki-header-3