Citrix iApp and Active Directory

Question

According to AD policy, the user is required to change their password every so many days. When logging in to Citrix via the APM logon page, the user receives the message:&nbsp;
"The domain password has expired. Please change the password".
The user enters their new password meeting the AD complexity requirements, clicks logon and is presented with:&nbsp;
"The domain password change operation failed. Please try again".&nbsp;
Looking into the sessions logs on the APM, the log message says:
"AD module: change password for "username" failed: (1588592656).&nbsp;
Any ideas?&nbsp;
Also, on the iApp for the Citrix APM section when it asks:&nbsp;
"What is the name or IP address of an Active Directory server in your domain this BIG-IP system can contact?"&nbsp;
It seems to only give the option for 1 IP address for a DC. Can I add more? Is it possible to do it in the system somewhere rather than in the iApp?&nbsp;
Thanks.&nbsp;

greg_crosby_319 · Answer

Might be you are using an older version of the Citrix iApp, the latest Citrix iApp (citrix_vdi.v.2.1.0) has the option to enter multiple ad servers.&nbsp;
Password changes require a user account with administrative privileges to be present in the APM AAA profile.
Verify "Yes...." was selected for question "Does your Active Directory domain require credentials?" if using the iApp to configure your AAA AD profile. If you manually built the AAA profile, verify an admin account and proper password has been entered.&nbsp;
To help troubleshoot, you can enable "Complexity check for Password Reset" and "Show Extended Error" within your access policy ad auth policy item. Doing so will display a more decipherable error message during logon and could help pin point where the failure resides.&nbsp;

tolinrome_13817 · Answer

Hi Greg,
Thanks for your response, I appreciate it. Also, thanks for the update for the new iApp, I think the one I'm using is from 2012.&nbsp;
I am using the iApp and I dont see the question in the Iapp you posted, ""Does your Active Directory domain require credentials?". But I do have a user account listed and I'm not sure what they mean by it must have "administrative permissions", perhaps domain admin group?&nbsp;
I did enable "Complexity check for Password Reset" and "Show Extended Error" and thats how I was able to see the session ID and see that error I posted ""AD module: change password for "username" failed: (1588592656)."&nbsp;
Note however, that users can login no problem, its just when AD forces them to change their passwords they cant.&nbsp;
Maybe I'll update the iApp and see what happens.&nbsp;

Forum Discussion

Citrix iApp and Active Directory

2 Replies

ICYMI - Steve Wozniak at AppWorld 2026

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Connections appear not to use Persistence

LB Connection Limit Detection Method

Partially reachabilty issues with VS in F5OS tenant

Forward proxy with SSL passthrough - SWG license required?

Need step-by-step guidance for migrating BIG-IP i2800 WAF to rSeries (UCS restore vs clean build)

Related Content

Azure Active Directory and BIG-IP APM Integration

Complete MFA solution with GA stored in Active Directory

Remote Authorization via Active Directory

Enabling Azure Active Directory Tenant Restrictions with F5

Microsoft Active Directory Federation Services (AD FS) iApp Template

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS