Setting up a Storefront enviroment in work and I've come across a stange bug in the Access Gateway VPX 5.0.4.
As we have 15 domains in our global forest, we set the authentication profile to look at our Global Catalog Servers as below so we can use Access Gateway in our Environment:
This has been working fine and users log in with the username domain\username to get authenticated. Today I had 1 user who could not log in. Logging in internally to the storefront worked fine and the user had access to all other network resources. Time to look at the debug log on the AG:
So we can see form the log that the result is that the account is disabled. Searching users domain for his account showed it was fine, and enabled. Searching all domains for the username though, showed another account, that was disabled. Even though the user had entered ict\gmu-admin in the username field of the AG, it seems the AG had found the account domain2\gmu-admin, which is disabled and had returned the deny based on this. Renaming the account in domain2 ot deleting it solves the issue
So, in a nutshell, be aware when using Citrix Access Gateway 5.0.4 and pointing it to a GC to cater for having multiple domains as the AG seems to ignore the domain for the purpose of authentication. It will still pass the domain to the backend Storefront servers though so users do get presented the correct apps.