Environment – NetScaler 10.1, Citrix Storefront 2.5, XenDesktop 7.5, LDAP Authentication
Issue – AD user accounts with the attribute “User must change password at next logon” are unable to change their passwords at the NetScaler /Access gateway page. However, users do have the ability to change the passwords by selecting “change password” from the drop down menu on the Netscaler page
Resolution – The issue was the Active Directory /LDAP Authentication profile that I created which had the Security Type set to PlainText. Changing it to TLS resolved the issue for me.