Solved

Active Directory UPN Authentication problems

Posted on 2014-02-03
3
2,381 Views
Last Modified: 2016-10-25
I am having a problem with users authenticating with UPN.

Environment:
Netscaler 10.1 running Access Gateway on it. It connects to Storefront 2.1. Running Xenapp 6.5.

I have users with different suffixes broken up in different AD OUs. Users log into Access Gateway running on Netscaler with their UPN and password. The Netscaler authenticates users then passes it to the Storefront 2.1 which automatically logs the users in and gives them the applications they can connect to in the Xenapp 6.5 farm.

It has been working fine. I went to add a batch of new users and I imported them with Powershell script with their UPN suffix. However I had not went to AD Domains and Trusts and added the suffix to the system. It imported the users fine with the correct suffix but when you went to add new users individually you could not select their domain in the dropdown box. That is when we realized it was not added int AD Domains and Trusts. We added the suffix. Then we could add new users and select the suffix.

The imported users seemed to be working fine. They could use their UPN to authenticate to Exchange 2013 OWA. They can log into the servers via Remote Desktop Connection fine. However when we went to log into Netscaler it authenticates but when the Netscaler passes the authentication to the Storefront we get an error that says "Cannot complete your request" with a Log On button below it. If you click the Log On button it tries to connect then comes right back to the same error.

At first I didn't think this had anything to do with the UPN and me importing it before I added the suffix to AD Domais and Trusts. However after further testing it looks like it does. Other users can still authenticate fine. I can add a new user manually and select the same suffix and that users can log in fine. I can take the users with the UPN that does not work and change their suffix to our main AD root domain and then those users can authenticate. If I go back and select any other suffix other than our AD domain suffix then the users fails to work again. I can go to a user that is currently working with a different suffix and even change their suffix to the same as the imported users and that users can still log in. It appears to only be effecting the imported users and not just the suffix they were imported with but any suffix that is not our actual AD domain.

I have looked at the users with the LDP.exe tool and I can't see any differences. Like I said the users can still log into OWA and servers via RDP directly with their UPN. They can also log into Storefront directly with UPN but when Netscaler tries to pass authentication to Storefront it seems to fail.

Any ideas of how to resolve this without having to delete the user accounts and recreate?

Thanks in advance for your help.
0
Comment
Question by:kserritt
  • 2
3 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 500 total points
Comment Utility
0
 

Author Comment

by:kserritt
Comment Utility
I just did some more testing it looks like the issue may not be the importing of the users. The other difference with the account is the SAM account is different from the UPN. For example in the past the UPN for the users has been like test@domain.com and the SAM account would be test. With these users it is different the SAM account is abc.test and the UPN is test@domain.com.

I went back and created a new user manually with a different UPN logon name and SAM logon name and it get the same error. What would keep the authentication pass-through from working but allow them to authenticate directly?

Thanks again
0
 

Author Closing Comment

by:kserritt
Comment Utility
The link to neil.spellings.net site was exactly what my issue was. Thanks a million for the help.
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now