Solved

Active Directory UPN Authentication problems

Posted on 2014-02-03
3
2,493 Views
Last Modified: 2016-10-25
I am having a problem with users authenticating with UPN.

Environment:
Netscaler 10.1 running Access Gateway on it. It connects to Storefront 2.1. Running Xenapp 6.5.

I have users with different suffixes broken up in different AD OUs. Users log into Access Gateway running on Netscaler with their UPN and password. The Netscaler authenticates users then passes it to the Storefront 2.1 which automatically logs the users in and gives them the applications they can connect to in the Xenapp 6.5 farm.

It has been working fine. I went to add a batch of new users and I imported them with Powershell script with their UPN suffix. However I had not went to AD Domains and Trusts and added the suffix to the system. It imported the users fine with the correct suffix but when you went to add new users individually you could not select their domain in the dropdown box. That is when we realized it was not added int AD Domains and Trusts. We added the suffix. Then we could add new users and select the suffix.

The imported users seemed to be working fine. They could use their UPN to authenticate to Exchange 2013 OWA. They can log into the servers via Remote Desktop Connection fine. However when we went to log into Netscaler it authenticates but when the Netscaler passes the authentication to the Storefront we get an error that says "Cannot complete your request" with a Log On button below it. If you click the Log On button it tries to connect then comes right back to the same error.

At first I didn't think this had anything to do with the UPN and me importing it before I added the suffix to AD Domais and Trusts. However after further testing it looks like it does. Other users can still authenticate fine. I can add a new user manually and select the same suffix and that users can log in fine. I can take the users with the UPN that does not work and change their suffix to our main AD root domain and then those users can authenticate. If I go back and select any other suffix other than our AD domain suffix then the users fails to work again. I can go to a user that is currently working with a different suffix and even change their suffix to the same as the imported users and that users can still log in. It appears to only be effecting the imported users and not just the suffix they were imported with but any suffix that is not our actual AD domain.

I have looked at the users with the LDP.exe tool and I can't see any differences. Like I said the users can still log into OWA and servers via RDP directly with their UPN. They can also log into Storefront directly with UPN but when Netscaler tries to pass authentication to Storefront it seems to fail.

Any ideas of how to resolve this without having to delete the user accounts and recreate?

Thanks in advance for your help.
0
Comment
Question by:kserritt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 500 total points
ID: 39830239
0
 

Author Comment

by:kserritt
ID: 39830301
I just did some more testing it looks like the issue may not be the importing of the users. The other difference with the account is the SAM account is different from the UPN. For example in the past the UPN for the users has been like test@domain.com and the SAM account would be test. With these users it is different the SAM account is abc.test and the UPN is test@domain.com.

I went back and created a new user manually with a different UPN logon name and SAM logon name and it get the same error. What would keep the authentication pass-through from working but allow them to authenticate directly?

Thanks again
0
 

Author Closing Comment

by:kserritt
ID: 39831145
The link to neil.spellings.net site was exactly what my issue was. Thanks a million for the help.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question