Suddenly, all VDAs from specific OUs became unregistered. Key Errors and Warnings from VDAs:

Windows Event Log
"Citrix Desktop Service" event shows that "The Citrix Desktop Service successfully registered with delivery controller XXXX".
However, in Studio the registration state of these VDAs is still unregistered.

WireShark Trace
DDC server responds 500 exception while VDA sending register requests.
Detailed information is "The request for security token could not be satisfied because authentication failed".​

CDF Trace
VDA trace snippet shows an error "The request for security token could not be satisfied because authentication failed".

Error,"Error occurred when attempting to connect to endpoint at address http://{DDC-Domain:port}/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)

  System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

  --- End of inner exception stack trace ---

1. Access "Group Policy Management" in AD. Select the group policy of the OU which the DDC Server in.
2.  Click "Add" in the left "Security Filtering".
3. Click "Object Types" and select "Computers".
4. Input "domain computers" in "Enter the object name to select".
5. Click "OK".
6. Repeat the above steps to add "Domain Computer" to the group policy of VDA.
7. Refresh group policy in DDC and VDA.

Problem Cause

The applied settings of the group policies which linked to the OU where the VDA and DDC resides restricts the communication between the VDA and the DDC.