Active Directory UPN Authentication problems

Posted on 2014-02-03
Medium Priority
Last Modified: 2016-10-25
I am having a problem with users authenticating with UPN.

Netscaler 10.1 running Access Gateway on it. It connects to Storefront 2.1. Running Xenapp 6.5.

I have users with different suffixes broken up in different AD OUs. Users log into Access Gateway running on Netscaler with their UPN and password. The Netscaler authenticates users then passes it to the Storefront 2.1 which automatically logs the users in and gives them the applications they can connect to in the Xenapp 6.5 farm.

It has been working fine. I went to add a batch of new users and I imported them with Powershell script with their UPN suffix. However I had not went to AD Domains and Trusts and added the suffix to the system. It imported the users fine with the correct suffix but when you went to add new users individually you could not select their domain in the dropdown box. That is when we realized it was not added int AD Domains and Trusts. We added the suffix. Then we could add new users and select the suffix.

The imported users seemed to be working fine. They could use their UPN to authenticate to Exchange 2013 OWA. They can log into the servers via Remote Desktop Connection fine. However when we went to log into Netscaler it authenticates but when the Netscaler passes the authentication to the Storefront we get an error that says "Cannot complete your request" with a Log On button below it. If you click the Log On button it tries to connect then comes right back to the same error.

At first I didn't think this had anything to do with the UPN and me importing it before I added the suffix to AD Domais and Trusts. However after further testing it looks like it does. Other users can still authenticate fine. I can add a new user manually and select the same suffix and that users can log in fine. I can take the users with the UPN that does not work and change their suffix to our main AD root domain and then those users can authenticate. If I go back and select any other suffix other than our AD domain suffix then the users fails to work again. I can go to a user that is currently working with a different suffix and even change their suffix to the same as the imported users and that users can still log in. It appears to only be effecting the imported users and not just the suffix they were imported with but any suffix that is not our actual AD domain.

I have looked at the users with the LDP.exe tool and I can't see any differences. Like I said the users can still log into OWA and servers via RDP directly with their UPN. They can also log into Storefront directly with UPN but when Netscaler tries to pass authentication to Storefront it seems to fail.

Any ideas of how to resolve this without having to delete the user accounts and recreate?

Thanks in advance for your help.
Question by:kserritt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 14

Accepted Solution

JAN PAKULA earned 2000 total points
ID: 39830239

Author Comment

ID: 39830301
I just did some more testing it looks like the issue may not be the importing of the users. The other difference with the account is the SAM account is different from the UPN. For example in the past the UPN for the users has been like test@domain.com and the SAM account would be test. With these users it is different the SAM account is abc.test and the UPN is test@domain.com.

I went back and created a new user manually with a different UPN logon name and SAM logon name and it get the same error. What would keep the authentication pass-through from working but allow them to authenticate directly?

Thanks again

Author Closing Comment

ID: 39831145
The link to neil.spellings.net site was exactly what my issue was. Thanks a million for the help.
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question