The certificate hash shown did not match the one binding to the SSL port 443 in IIS (correct cert hash starts with 89BA19BD4…)
Delete the legacy certificate causing errors via CLI command
Netsh http delete sslcert ipport=0.0.0.0:443
Note: The legacy certificate was associated with another set of StoreFront servers (3 SF servers) instead of the new certificate created for this new set of 2 SF servers.
Validation
When issuing the CLI command:
“netsh http show sslcert” – we now see that the certificate is gone
When testing logging on to the NetScaler, we were able to SSON to SF server using the 2 factor authentication in place and keeping the setting “Enable Loopback Communication” set to ON (Under SF – Edit Receiver for Web Site – Advanced Settings)