Active Directory UPN Authentication problems

I am having a problem with users authenticating with UPN.

Netscaler 10.1 running Access Gateway on it. It connects to Storefront 2.1. Running Xenapp 6.5.

I have users with different suffixes broken up in different AD OUs. Users log into Access Gateway running on Netscaler with their UPN and password. The Netscaler authenticates users then passes it to the Storefront 2.1 which automatically logs the users in and gives them the applications they can connect to in the Xenapp 6.5 farm.

It has been working fine. I went to add a batch of new users and I imported them with Powershell script with their UPN suffix. However I had not went to AD Domains and Trusts and added the suffix to the system. It imported the users fine with the correct suffix but when you went to add new users individually you could not select their domain in the dropdown box. That is when we realized it was not added int AD Domains and Trusts. We added the suffix. Then we could add new users and select the suffix.

The imported users seemed to be working fine. They could use their UPN to authenticate to Exchange 2013 OWA. They can log into the servers via Remote Desktop Connection fine. However when we went to log into Netscaler it authenticates but when the Netscaler passes the authentication to the Storefront we get an error that says "Cannot complete your request" with a Log On button below it. If you click the Log On button it tries to connect then comes right back to the same error.

At first I didn't think this had anything to do with the UPN and me importing it before I added the suffix to AD Domais and Trusts. However after further testing it looks like it does. Other users can still authenticate fine. I can add a new user manually and select the same suffix and that users can log in fine. I can take the users with the UPN that does not work and change their suffix to our main AD root domain and then those users can authenticate. If I go back and select any other suffix other than our AD domain suffix then the users fails to work again. I can go to a user that is currently working with a different suffix and even change their suffix to the same as the imported users and that users can still log in. It appears to only be effecting the imported users and not just the suffix they were imported with but any suffix that is not our actual AD domain.

I have looked at the users with the LDP.exe tool and I can't see any differences. Like I said the users can still log into OWA and servers via RDP directly with their UPN. They can also log into Storefront directly with UPN but when Netscaler tries to pass authentication to Storefront it seems to fail.

Any ideas of how to resolve this without having to delete the user accounts and recreate?

Thanks in advance for your help.
Who is Participating?
JAN PAKULAConnect With a Mentor ICT Infranstructure ManagerCommented:
kserrittAuthor Commented:
I just did some more testing it looks like the issue may not be the importing of the users. The other difference with the account is the SAM account is different from the UPN. For example in the past the UPN for the users has been like and the SAM account would be test. With these users it is different the SAM account is abc.test and the UPN is

I went back and created a new user manually with a different UPN logon name and SAM logon name and it get the same error. What would keep the authentication pass-through from working but allow them to authenticate directly?

Thanks again
kserrittAuthor Commented:
The link to site was exactly what my issue was. Thanks a million for the help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.