Netscaler/Storefront login for multiple domains when UPN is different

[Ian Butcher]

We have a Netscaler (11.1) and Storefront (7.11) set up. There seems to be a couple of issues that need to be sorted out. We have a multiple AD domain login requirement, bear with while I explain what's what.

 

Our domain is ourdomain.local. Within this, we have multiple OUs for other customers, ourcustomer1.co.uk, ourcustomer2.org etc, their UPN suffix is therefore ourcustomer1.co.uk, ourcustomer2.org etc. On Netscaler, I have an LDAP server pointing to the DC, in Other Settings here under Server Logon Name Attribute I have to use userPrincipalName for our clients to be able to log on.

 

I've been following http://www.carlstalhood.com/netscaler-gateway-11-ldap-authentication/#domains

which says I should use sAMAccountName for the Server Logon Name Attribute and use userPrincipalName for SSO Name Attribute, when I do this Netscaler says 'user not found'. This is problem 1.

 

Problem 2 (which may, in part, be related) is we have a new, external client. I have set up a two way External trust with their DC, and for sake of simplicity it's not restricted in any way. I have a second LDAP policy for their domain, added to the Storefront virtual server. This customer is similar to how ours are configured internally-the domain is customerdom.local but their UPN is customerdom.com.

 

Let me see if I can clear this up a bit. In the LDAP policy, if I follow the above guide the Netscaler reports 'user not found'. This is true for both our hosted customers and the external customer. If I adjust the LDAP policies to only use userPrincipalName any user can log on. Happy days. HOWEVER when our external customer tries to log in (jsmith@customerdom.com) Netscaler authenticates but Storefront rejects with 'Cannot complete your request' and Windows event log error

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: jsmith@customerdom.com
domain:

 

My understanding is because the user name or domain isn't passed through to Storefront, I'm fine with that. Additionally, if a user logs on as the actual domain ie jsmith@customerdom.local, it works.

 

What do I need to do to get this working? I've seen info about using AAA groups as an alternative, but I'm new to Netscaler and just about have my head around the basic Storefront setup. If this is the right thing to do, are there any guides, step by step, to implement it?

 

More info available on request if there's something I've missed, but please keep it simple, I'm new. I am able to make changes and fully test everything as this isn't in full production yet.

 

[CarlStalhood]

If you're users are comfortable using UPN to login, then you can configure NetScaler with UPN as the Server Logon Attribute. My instructions are for organizations that prefer samAccountName.

 

If Server Logon Attribute = userPrincipalName, you don't have to worry about sending the domain name to StoreFront since it's implicit in the username.

[Ian Butcher]

Thanks for your reply Carl.

Your answer led me down a different path, one that it turns out has worked. I changed the domain trust from External to Forest (again, for now, full access). Within the trust properties I have a Name Suffix Routing tab, and I had to enable the other domain UPN from there. So the issue was within Windows and not Netscaler/Storefront.

[Craig Avery1709151721]

Hi 

 

I followed this document and I have changed Server Logon Attribute = userPrincipalName

 

I still get the error 'User not found"

 

I have a second LDAP policy which I removed all sso as per another document I can login to multiple domains using domain1\username or domain2\username

 

I would like to utilize UPN as that is the companies method of choice.

 

I have Netscaler 11.1

Storefront 3.6 pointing to a load balanced VIP

XenApp 6.5 Farm

 

Running a test connection in the 'Configure Authentication LDAP Server"

Server 'ldap Server' is reachable.port '3268/tcp' is open.'ldap server' is a valid LDAP server.Valid credentials have been provided.

 

 

Errors

receive_ldap_user_search_event ldap_first_entry returned null, user not found

send_reject_with_code Rejecting with error code 4009

send_reject_with_code sending reject to kernel for : username@emailaddress.com

 

I am battling to find out what I am missing

 

Regards

 

Craig

 

 

[CarlStalhood]

Since you're using Global Catalog, what is the Base DN? It should be a simple space so it searches the entire forest.

 

And username@emailaddress.com is the actual UPN configured on the user's Account tab in AD?

[EU IT Systems]

Hi Carl, we have been advised to change our AD accounts UPN attribute to use a new UPN for Office365. It has to be an external domain name UPN. For example, (using fictitious domain names here) our internal domain is contoso.net and what storefront is configured to use as trusted domain. 

 

We now need to change it to firstname.lastname@contosoworldwide.com 

 

They did this on a few accounts and result was that they were unable to logon via the gateway.  What do i need to do here to get this all working so everything still works internally and externally? Have no idea what to do here. If possible, we want to avoid changing their logon method and want them to continue using SAM account name. This should all work on the netscaler as i understand it, so did changing it cause to break on storefront? Do i have to add the external domain to trusted domains on the storefront for this to move forward? Just don't get why it is broken as all we have done is change the UPN on the AD account, which is not in use for gateway. SAM account name should continue to work. I think..

 

Thanks,

E