Users password has expired
When logging onto a Wyse Client (in this case a C10LE or Dx0D running the latest firmware), you are told your password has expired. You are given the option to change your password, once you click OK, you are presented with the following message;
Turning on Verbose mode on the Storefront server and running Microsoft DebugView Tool to view the output files (C:\Program Files\Citrix\Receiver Storefront\Admin\Trace)
Here is the Citrix KB on setting up verbose logging and reading the trace files.
Set-DSTraceLevel –All –TraceLevel Verbose
Get-Service "CitrixConfigurationReplication" | Restart-Service
Get-Service "CitrixCredentialWallet" | Restart-Service
Get-Service "CitrixDefaultDomainService" | Restart-Service
Get-Service "CitrixSubscriptionsStore" | Restart-Service
Get-Service "Citrix Peer Resolution Service" | Restart-Service
Set-DSTraceLevel –All –TraceLevel Off
- In the debug we could see that when the password reset tokens were sent;
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE AdminProtocol SYSTEM "Admin.dtd">test.user</UserName><Domain type="NT">STUDENT</Domain><OldPassword>oranges</OldPassword><NewPassword>apples</NewPassword></RequestChangePassword></AdminProtocol>
Here you can make out that the above highlighted words are the user credentials and the old and new password.
- There was a response stating;
 PnaAuthenticationLogic: Authenticate response status: FailedInvalidDomain, isSuccess: False, password expired: False
- We also seen a “Charlotte” error as well;
 PnaAuthenticationExplicitController: PnaAuthenticationException from change password Citrix.DeliveryServices.PnaProtocol.Authentication.PnaAuthenticationException: CharlotteErrorBadCredentials
Below is a dissection of the debug output;
The fix was to change the Wyse configuration file (WNOS.ini) for the line that puts in the available domains to the FQDN rather than the NETBIOS name for each domain.
Our old configuration was;
Our new configuration was;
We could then see that in the debug file, the line describing the domain details, includes the FQDN.
This issue was not apparent when using Citrix XenDesktop 5.5 and Citrix Web Interface, only when we migrated to XenDesktop 7.6 and StoreFront Services, which I imagine uses a higher level of security, meaning passing the NETBIOS name through is unacceptable now.