Question:
Cannot logon using Smartcard through Storefront after upgrading the Domain Controller to Windows Server 2016

Answer:
Windows Server 2016 needs a code change to address Authentication when AltSecID settings in AD are in place. The code change will be addressed by Microsoft in the future. For now there is a registry FIX that can be applied to Clients and Domain Controllers as mentioned in : https://support.microsoft.com/en-gb/help/4043463/how-to-disable-the-subject-alternative-name-for-upn-mapping

On the DC:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Type = DWORD
Value Name = UseSubjectAltName
Value Data = 0

On the Client:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Type = DWORD
Value Name = UseSubjectAltName
Value Data = 0

This fix addresses the authentication failure users were receiving when authentication using smart card against their WS2016 DCs. Changing the UseSubjectAltName to 0 allowed just to send the certificate to the KDC and discard the UPN, thus allowing authentication to users. 

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Detailed Description of Problem:
 
When a users tries to use their Smart Card to authenticate on Citrix Storefront Solution (Via Browser or Receiver as well as on Wyse terminals) they are unable to do so. Error on Browser is “You Cannot log on using a smart card”
 
NOTE: this behavior is only seen when Citrix Storefront handles authentication against a Windows Server 2016 acting as a Domain Controller.