In a recente P1 outage at a customer we got messages that some users would not be able to logon and some would, authentication debugging would show cascading events that would work and some that would deny logons. In this particular setup there are two MFA solutions, one not native to the NetScaler and one native using the parameter setup in ADDS and the tokens. The latter would be the one failing, customer already did a reboot and failover of the nodes with no avail. After checking with all the engineers of the customer and one goosy Mick 😉 we came to the conclusion there was a time drift on the NetScaler, it would start out as 30 seconds behind, and moving up to about 5 minutes and authentications would fail. For us and this particular case the reboots wouldn’t work and re-entering the NTP setup also wouldn’t help, the latest 13.1 release which resolved a CVE also resolved our problem.
Hope it helps.