Jump to content


Photo

UPN authentication on different domain not working when UPN suffix is used in both domains - classic authentication works

Started by Ewald Bracko , 19 April 2017 - 01:10 PM
2 replies to this topic

Ewald Bracko Members

Ewald Bracko
  • 14 posts

Posted 19 April 2017 - 01:10 PM

Hi,

 

we have a StoreFront server (3.7) that resides on DomainA.

As we are migrating users from DomainA to DomainB there is a both-sided trust established and the UPN suffixes we use are added to both domains as the users use those suffixes also as their mail addresses.

If a user that still resides in DomainA logs on using his UPN everything works fine.

But if a user that resides in DomainB tries to log on using his UPN he gets a "Username or Password incorrect" message.

However if this user tries to log in using the classic way (DomainB\Username) the user can successfully log on to the StoreFront server.

The event log shows that the DC of DomainA is rejecting the logon request using UPN.

 

Is there any way to tell Storefront to also send UPN authentication requests to a DC of DomainB and if yes, how can it be achieved?

 

FYI: I'm talking about direct logins to the Storefront server without using Netscaler. I already know how to do this using Netscaler but for internal logins I want not to go through the Netscaler. if anyhow possible.

 

Thank you in advance for your help!

 

Best Regards

 

Ewald Bracko



Carl Stalhood CTP Member

Carl Stalhood
  • 11,777 posts

Posted 25 April 2017 - 01:35 AM

Maybe name suffix routing? https://technet.microsoft.com/en-us/library/cc731648%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396


Best Answer

Ewald Bracko Members

Ewald Bracko
  • 14 posts

Posted 25 April 2017 - 09:28 AM

Hi Carl,

 

it is indeed caused by suffix routing issues.
Unfortunately we have the situation that during the migration the suffixes need to be active in both domains. This causes suffix routing conflicts and therefore suffix routing cannot be activated at the moment.

It looks like there will be no other way than to tell the users to log on the classic way for the moment to avoid troubles there.

Thank you for your feedback! I really appreciate all the work you're doing and the help you provide to us all!

 

Best Regards

 

Ewald