Remember that web authentication uses LDAP as primary & RADIUS as secondary while self-service authentication uses RADIUS as primary & LDAP as secondary, so double check these are setup accordingly with the correct expression to match web or self-service.Ensure that the single-sign on domain in the receiver self-service matches the trusted domains you define in the Citrix Storefront.Not critical, but as a good practice – ensure that your receiver for web policy and receiver self-service policies have equal priority so there’s one less thing to look at when considering these policies.User-Agent CONTAINS CitrixReceiver || User-Agent CONTAINS 'CitrixReceiver-iPad' || User-Agent CONTAINS CFNetwork || User-Agent CONTAINS Darwin) Ensure that the expression for the policy includes the case for iOS devices too if you are interested in that (i.e.Ensure that there’s a separate session policy for receiver self-service.Had a lot of little configuration errors that needed fixing, but the last one (which is the title of this post) had me stumped for a while. (This affects receiver for iOS and Android too by the way, which is how I first came to know of this problem). Was trying to setup receiver self-service in one of our newer sites and it kept error.