User is already part of the group which is published for citrix application. But still when user tries to login, they recieve access denied error.

When you check on citrix application properties, we have a AD group, and user is already part of this AD group. Interesting point is, only one user might have this issue and all existing other users in that group, and any new users added to this AD group will not have any errors.

Resolution has been posted in article: https://support.citrix.com/article/CTX136114

Resolution

• Confirmed that the end user does have access to those published applications attempting to be launched.

• Corresponding lingering sessions have been found pertaining to the affected user account. The disconnected sessions were logged off, but had no change on the reported error message.

• Citrix UPM 4.1 is being used to manage user profiles. The service is in a started state. The user profile has been recreated in the Profile Store. No change in error message

• At the time of error, the Citrix Profile Management service has been stopped and disabled to verify if the same issue is experienced with a local profile.

• Citrix UPM GPO have settings enabled for “Delete locally cached profiles on logoff”

• Template profiles and application streaming are not being used.

• Citrix UPM Logging was enabled, no corresponding events pertaining to reported error message identified in log files.

• Enabled Auditing of logons\logoffs using Local Security Policy (or GPO) on single XenApp server.

• Location: Windows Settings>Security Settings>Local Policies>Audit Policy

• Enable “Audit account logon events Properties” select Success & Failure.

• Enable “Audit logon events” select Success & Failure.

• No corresponding entries were found in event logs.

• Inquired on the business role of the affected user account. The customer informed that the affected end user is the company Compliance Officer.

• From the domain controller, checked AD Users & Computers, confirmed affected user account is a member of a large amount of AD Groups.

• For testing purposes, created a new user from a copy of affected user account. Newly created user account also received the same error message.

• From the test account, all file server group (more than ten groups) were removed. The affected user account was immediately able to launch applications. When AD groups were added once again, error message “Access denied’ was displayed.

• Advised customer to test increasing the Kerberos MaxToken size on a single XenApp server.

• From a single server, created new REG_DWORD at the registry path below to Increase Kerboros MaxTokenSize.

• HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

• Name: MaxTokenSize Type: REG_DWORD Value: 65535 (Decimal)

• Restarted the server.

• Tested application launch from WI with original user account which was experiencing the “Access denied” error. Then the user was able to launch published desktop without any issue.

Creating registry key on affected citrix server resolved our case.