Active Directory UPN Authentication problems

Posted on 2014-02-03
Last Modified: 2016-10-25
I am having a problem with users authenticating with UPN.

Netscaler 10.1 running Access Gateway on it. It connects to Storefront 2.1. Running Xenapp 6.5.

I have users with different suffixes broken up in different AD OUs. Users log into Access Gateway running on Netscaler with their UPN and password. The Netscaler authenticates users then passes it to the Storefront 2.1 which automatically logs the users in and gives them the applications they can connect to in the Xenapp 6.5 farm.

It has been working fine. I went to add a batch of new users and I imported them with Powershell script with their UPN suffix. However I had not went to AD Domains and Trusts and added the suffix to the system. It imported the users fine with the correct suffix but when you went to add new users individually you could not select their domain in the dropdown box. That is when we realized it was not added int AD Domains and Trusts. We added the suffix. Then we could add new users and select the suffix.

The imported users seemed to be working fine. They could use their UPN to authenticate to Exchange 2013 OWA. They can log into the servers via Remote Desktop Connection fine. However when we went to log into Netscaler it authenticates but when the Netscaler passes the authentication to the Storefront we get an error that says "Cannot complete your request" with a Log On button below it. If you click the Log On button it tries to connect then comes right back to the same error.

At first I didn't think this had anything to do with the UPN and me importing it before I added the suffix to AD Domais and Trusts. However after further testing it looks like it does. Other users can still authenticate fine. I can add a new user manually and select the same suffix and that users can log in fine. I can take the users with the UPN that does not work and change their suffix to our main AD root domain and then those users can authenticate. If I go back and select any other suffix other than our AD domain suffix then the users fails to work again. I can go to a user that is currently working with a different suffix and even change their suffix to the same as the imported users and that users can still log in. It appears to only be effecting the imported users and not just the suffix they were imported with but any suffix that is not our actual AD domain.

I have looked at the users with the LDP.exe tool and I can't see any differences. Like I said the users can still log into OWA and servers via RDP directly with their UPN. They can also log into Storefront directly with UPN but when Netscaler tries to pass authentication to Storefront it seems to fail.

Any ideas of how to resolve this without having to delete the user accounts and recreate?

Thanks in advance for your help.
Question by:kserritt
  • 2
LVL 14

Accepted Solution

JAN PAKULA earned 500 total points
ID: 39830239

Author Comment

ID: 39830301
I just did some more testing it looks like the issue may not be the importing of the users. The other difference with the account is the SAM account is different from the UPN. For example in the past the UPN for the users has been like and the SAM account would be test. With these users it is different the SAM account is abc.test and the UPN is

I went back and created a new user manually with a different UPN logon name and SAM logon name and it get the same error. What would keep the authentication pass-through from working but allow them to authenticate directly?

Thanks again

Author Closing Comment

ID: 39831145
The link to site was exactly what my issue was. Thanks a million for the help.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question