When launching an ICA session to the VDA with FAS, it fails with an error “The username or password is incorrect”. However, the certificate has already reached the VDA as per event ID 106. The certificate can be validated using : https://support.citrix.com/article/CTX219849 .
The System event logs on the VDA will show below event generated by Security-Kerberos :
Event ID 19 :
The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 220.127.116.11.18.104.22.168: Error Code 0xc0000320. The domain administrator will need to obtain a certificate with the KDC EKU for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.