Users fail to log on to NetScaler Gateway with the following error: "Incorrect credentials. Try again."

Log on through StoreFront is successful.

From /tmp/aaad.debug, the following is the logon failure message:

/usr/home/build/rs_101_129_6/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_common.c[341]: ns_ldap_check_result checking LDAP result. Expecting 97 (LDAP_RES_BIND)
Mon Feb 22 17:15:00 2016
/usr/home/build/rs_101_129_6/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_common.c[376]: ns_ldap_check_result ldap_result found expected result LDAP_RES_BIND
Mon Feb 22 17:15:00 2016
/usr/home/build/rs_101_129_6/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_common.c[202]: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>>
Mon Feb 22 17:15:00 2016
/usr/home/build/rs_101_129_6/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_common.c[386]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials

1. Verify that the administrator Bind DN password is not expired or incorrect.
2. Verify that the Bind DN credentials are Domain admin credentials or at a minimum, the Bind DN account must have:

• Read access to the user objects in the LDAP directory in order to search for user accounts.
• Read access to the Base DN (for example, DC=citrix, DC=com) with the correct attribute that is used as the LDAP Login Name (for example, samAccountName).

Problem Cause

Administrator Bind DN password in LDAP action is expired or not correct.