On each Domain Controller, a “Domain Controller Authentication” certificate is required.
If it expires, the error below is what the end user sees when trying to logon to Citrix:
To renew the certificate, logon to each Domain Controller, start MMC and add the Certificates snap-in (Computer account!):
Under Personal - Certificates request new certificate (next - next - choose “Domain Controller Authentication” Enrollment Policy - Enroll).
