Do you restrict which workstations your AD domain users can log on to? This can be determined if you open Active Directory Users and Computers and in the properties of a given user account, click the Account tab and then the Log On To button. In the example here, the user is only allowed to login to three machines, ballfield-pc01, xenapp01, and xenapp02.

If you do restrict which workstations a user can login to, you may inadvertently deny them access to the Citrix Access Gateway, assuming you are using an LDAP authentication policy pointing to an internal domain controller. Even though the user may be in the proper AD security groups, restricting which workstations they can login to may result in an “incorrect credentials” message as shown below:

Assume my LDAP configuration on the NetScaler is setup as shown:

Also assume that the domain controller at 10.29.0.20 is named ChicagoDC01.

You can correct the issue in one of two ways, you can set the workstation log on to setting back to All Computers or if you want to continue to restrict workstation access, you will need to add the LDAP authentication server, in this example, ChicagoDC01, to the users list of allowable workstations:

Once this is completed, the user should be able to login to the Access Gateway with no further problems.