Test a Citrix logon through DFA with the default LDAP or AD password. If it still fails, look at the Windows Event Log on the Citrix StoreFront server when you get the authentication failure such as "Cannot complete your request." In one particular case we saw the following error:
The decryption of the delegated form body failed. Is there an encryption key mismatch? System.Security.Cryptography.CryptographicException, mscorlib, Version=18.104.22.168
This error indicated that the passphrase was not the same on the NetScaler as the StoreFront, even though it was verified. It turned out the there was a special character in the passphrase, which caused the discrepancy, so we simplified the passphrase to avoid special characters.
On the StoreFront server, launch PowerShell and issue the following command to use a different, simpler passpharase: