Error: 401 – Unauthorized: Access is denied due to invalid credentials. This error was appearing after authenticating to NetScaler Gateway just as users were being passed through to Citrix Web Interface v5.4.
By having a look at the Web Interface servers event logs the following was logged. “A communication error occured while attempting to contact the Access Gateway authentication service. The remote name could not be resolved”. This gave indication that there was a resolution problem between Citrix Web Interface and the NetScaler Gateway vServer. As a result the Web Interface server could not contact the NetScaler Authentication Service.
Turns out indeed it was down to a DNS resolution error. The Citrix Web Interface servers could not resolve the NetScaler authentication service (callback URL). This turned out to be a simple fix by adjusting the relevant DNS settings.
Another thing to look out for is firewall rules. Obviously, for the communication to occur between StoreFront/Web Interface and NetScaler Authentication service HTTPS/443 must be allowed through any traversing firewalls. If not, you will get the below Event Logs.