When launching an ICA session to the VDA with FAS, it fails with an error "The username or password is incorrect". The VDA gives the below error : 

Event ID 102 : Identity Assertion Logon failed : Could not lookup SID for <UPN of the user> [Exception: The user name or password is incorrect.]

• Check the certificate is valid as per : https://support.citrix.com/article/CTX219849
• Check the System and Security event logs in DC and VDA
• If the below event is seen in the DC System event logs : 

Event ID - 25 
Source - Kerberos Key Distribution Center
The account <VDA hostname> from domain <domain name> is attempting to use S4USelf for the target client ica, but is not allowed to perform group expansion on this client's user object.

• Add the VDA account to the Windows Authorization Access Group on the Domain Controller
• If the issue is still there, collect network traces from VDA and DC along with event logs (Application, System and Security) to engage Citrix Support

Problem Cause

Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in the Microsoft Active Directory directory service. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function in the rest of this article) that reads this attribute do not succeed if the calling security context does not have access to the attribute.

By default, access to the TGGAU attribute is determined by the

Permission Compatibility decision (made when the domain was created during the DCPromo.exe process). The default permission compatibility for new Windows Server 2003 domains does not grant broad access to the TGGAU attribute. Access to read the TGGAU attribute can be granted as required to the new Windows Authorization Access (WAA) group in Windows Server 2003.