Jump to content
Welcome to our new Citrix community!

Password expired - Cannot complete your request - FailedChangeExpiredSecret in Storefront Event ID 7

Recommended Posts

Dear all,


just recently I had to start implementing Fine Grained Password Policies in order to ensure complex passwords and subsequent changes on a regular basis. While testing I came upon the following error(s):

  • In case a user signs into our NS and needs to change her password due to being expired, the user receives an error upon logging on which states "Cannot complete your request". The user can click OK in stays in an indefinite loop showing the same error again and again.
  • Everytime the user runs into this error due to having an expired password and thus needing to change it, the Citrix Delivery Services Event Log on my Storefront server throws 3 event log entries (pls see JPGs attached as well):
  1. Source: Citrix Domain Services
    Event ID: 1
    Level: Information
    General: An authentication attempt was made for user: ctxuser6@domain.de that resulted in: FailedSecretExpired (Windows Error Code: 1907)
    Password expiry information was requested but none was returned.
  2. Source: Citrix Authentication Service
    Event ID: 7
    Level: Error
    General: CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedChangeExpiredSecret.
    The credentials supplied were;
    user: ctxuser6@domain.de
  3. Source: Citrix Receiver for Web
    Event ID: 10
    Level: Error
    General: A CitrixAGBasic Login request has failed.
    Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
    Authenticate encountered an exception.
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
    at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()
    System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    The remote server returned an error: (403) Forbidden.
    Url: https://storefront.domain.local/Citrix/Authentication/CitrixAGBasic/Authenticate
    ExceptionStatus: ProtocolError
    ResponseStatus: Forbidden
    at System.Net.HttpWebRequest.GetResponse()
    at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
    at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable1 acceptedResponseTypes, IDictionary2 additionalHeaders)
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
  • Further testing revelead that users are able to change their passwords manually, i.e. initiating a password change via NS/SF by the user herself works just fine.
  • But as soon as an expired password has been identified or the "User must change password at next logon" has been enabled I receive the aforementioned error(s).
  • Users have different UPNs, thus everyone is using the corresponding email addresses for logins, which in return correspond to their UPNs.
  • RADIUS has been implemented (SMS Passcode); the corresponding token must be entered after the AD password.
  • In case the "Cannot complete your request" error appears no 2nd token, i.e. RADIUS, shows up.


The environment consists of the following:

  • NS12.0 57.24nc
  • SF v3.12


The configuration is as follows:

  • NS Session Profile Credential Index: PRIMARY
  • NS Session Profile Single Sign-on Domain: <none>
  • NS LDAP Authentication: SSL/636
  • NS Allow Password Change: enabled
  • NS Server Logon Name Attribute: userPrincipalName
  • NS SSO Name Attribute: userPrincipalName
  • NS Primary Authentication: 1 LDAP Policy, 1 RADIUS Policy
  • SF Authentication Methods: User name and password, Domain pass-through, Pass-through from Netscaler Gateway
  • SF Allow Password Change: enabled
  • SF Trusted Domains: Any
  • SF Logon Type: Domain


Any help would be greatly appreciated. In case more information is required pls don't hesitate to ask. I'll gladly provide it.


2019-01-22 10_27_13-CLIENTAO - Desktop Viewer.png

2019-01-22 10_27_33-CLIENTAO - Desktop Viewer.png

2019-01-22 10_27_58-CLIENTAO - Desktop Viewer.png

2019-01-22 10_28_10-CLIENTAO - Desktop Viewer.png

Link to comment
Share on other sites

  • 2 months later...
Link to comment
Share on other sites

  • 9 months later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...