Jump to content


UPN authentication on different domain not working when UPN suffix is used in both domains - classic authentication works

Started by Ewald Bracko , 19 April 2017 - 01:10 PM
4 replies to this topic

Best Answer Carl Stalhood , 25 April 2017 - 01:35 AM

Maybe name suffix routing? https://technet.micr...ror=-2147217396

Ewald Bracko Members

Ewald Bracko
  • 16 posts

Posted 19 April 2017 - 01:10 PM



we have a StoreFront server (3.7) that resides on DomainA.

As we are migrating users from DomainA to DomainB there is a both-sided trust established and the UPN suffixes we use are added to both domains as the users use those suffixes also as their mail addresses.

If a user that still resides in DomainA logs on using his UPN everything works fine.

But if a user that resides in DomainB tries to log on using his UPN he gets a "Username or Password incorrect" message.

However if this user tries to log in using the classic way (DomainB\Username) the user can successfully log on to the StoreFront server.

The event log shows that the DC of DomainA is rejecting the logon request using UPN.


Is there any way to tell Storefront to also send UPN authentication requests to a DC of DomainB and if yes, how can it be achieved?


FYI: I'm talking about direct logins to the Storefront server without using Netscaler. I already know how to do this using Netscaler but for internal logins I want not to go through the Netscaler. if anyhow possible.


Thank you in advance for your help!


Best Regards


Ewald Bracko

Carl Stalhood CTP Member

Carl Stalhood
  • 12,351 posts

Posted 25 April 2017 - 01:35 AM

Maybe name suffix routing? https://technet.micr...ror=-2147217396

Best Answer

Ewald Bracko Members

Ewald Bracko
  • 16 posts

Posted 25 April 2017 - 09:28 AM

Hi Carl,


it is indeed caused by suffix routing issues.
Unfortunately we have the situation that during the migration the suffixes need to be active in both domains. This causes suffix routing conflicts and therefore suffix routing cannot be activated at the moment.

It looks like there will be no other way than to tell the users to log on the classic way for the moment to avoid troubles there.

Thank you for your feedback! I really appreciate all the work you're doing and the help you provide to us all!


Best Regards



Minhaj Ahmed Members

Minhaj Ahmed
  • 2 posts

Posted 25 August 2017 - 07:37 PM

Hi Carl,


As per this link everything is enabled but still I cannot use UPN to login. When I use domain\UPN it works using citrix receiver. 

I have no problem using Receiver for Web using UPN.

Any other input that can help ?



Ewald Bracko Members

Ewald Bracko
  • 16 posts

Posted 28 August 2017 - 09:15 AM

Hi Minhaj Ahmed,


This sounds quite weird...
Just to make it sure we're talking about the same thing:
UPN = user@definedUPNDomain.extension, like john.doe@contoso.local

classic login = CONTOSO\john.doe

What you're saying is that your Citrix Receiver actually requires a logon format like CONTOSO\john.doe@contoso.local.

Is this correct?