Jump to content
Welcome to our new Citrix community!

NetScaler UPN authentication to StoreFront not working


MIKE MORRISON

Recommended Posts

We have two domains with a full two-way trust, and are preparing to migrate the accounts from one domain to the other. We're trying to get the NetScaler to work with the migrated users just entering their SAMaccount information like they always have, and then getting authenticated appropriately based on the domain their account is active in.

 

I've followed the instructions on Carl Stalhood’s site on how to configure the LDAP servers to use UPN and send that to StoreFront for authentication. That’s working from a NetScaler perspective—the LDAP and RSA authentication are both working to the appropriate entity, but when the UPN information gets passed to the StoreFront servers I see this error message in the Event Viewer:

 

Log Name:      Citrix Delivery Services

Source:        Citrix Authentication Service

Date:          4/16/2018 11:41:49 AM

Event ID:      7

Task Category: (1005)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:     StoreFrontServer

Description:

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

 

The credentials supplied were;

user: user1@domain.com

domain:

 

For some reason the domain is coming through as blank—I assume it’s because I’ve got the default Single Sign-on Domain undefined in the Session Profile. As far as I can tell, everything is configured correctly according to Carl's instructions. I do have one account that is able to authenticate and launch applications--the passwords for this account happen to be synchronized. Just looking to see if anyone has any suggestion on how to get this working, or on a different approach we can use if this is unresolvable.


Thanks,

Mike Morrison

Link to comment
Share on other sites

Right--I know I don't have to specify the domain which is why it's blank in the NS session profile. I added domain.com (without the @ sign) to the list of trusted domains on the StoreFront server. I can log on to StoreFront fine if I use DOMAIN\user1, but not if I use user1@domain.com. When I use the UPN, an unknown username or password error is logged by StoreFront in the Citrix Delivery Service event log, and a similar entry is logged in the Windows Security log on the StoreFront server.

 

The StoreFront server is located in DOMAIN-B, and there's a two-way trust with DOMAIN. Is there another step that needs to be taken on the StoreFront server to enable it to communicate with DOMAIN?

 

Thanks,

Mike

Link to comment
Share on other sites

Sorry that wasn't clear, Carl...it is a Forest Trust. Both DOMAIN and DOMAIN-B are sub-domains of DOMAINPARENT.

 

So...upon further investigation, user1@domain.com (which is what is listed in AD as the UPN) doesn't work to login to storefront, but user1@domain.domainroot.net works just fine for the failing account. Both of those are added to the Trusted Domains list in StoreFront. Which should be OK--the migrated accounts that are of greater concern all use the second format and not the first. Let me do a little more digging and testing, and I'll post back with more information (probably tomorrow at this point).


Thanks,

Mike

Link to comment
Share on other sites

Just to close the loop on this issue...it looks like the "native accounts" in the target domain have recently had their UPN suffix changed from @domain.domainroot.net to @domain.com in preparation for migration to Outlook on O365. If I log into StoreFront with a native account using the @domain.domainroot.net suffix it works fine, but I'm unsuccessful using @domain.com. I'm sure there's an AD setting that needs to be updated/changed to get it all to work correctly, so I'll direct my search efforts to that end. Thanks for the responses, Carl...and keep up the good work on your site! Always one of the first places I turn to for things Citrix!!

 

Thanks,

Mike

Link to comment
Share on other sites

  • 3 weeks later...
19 hours ago, Michael Shuster1709152649 said:

In my experience in such circumstances when O365 migrations come into play, swapping UserPrincipalName parameter on the NetScaler's LDAP server with msDS-PrincipalName seems to help overcome similar issues to what you're describing. Can still keep the domain field blank in the session policy.

 

Michael--this works like a champ! This passes the account through as DomainName\UserName to the StoreFront servers, and everything authenticates without any issue. Thanks!

Link to comment
Share on other sites

  • 1 year later...
On 5/9/2018 at 4:51 AM, MIKE MORRISON said:

 

Michael--this works like a champ! This passes the account through as DomainName\UserName to the StoreFront servers, and everything authenticates without any issue. Thanks!

 

This did not work for me.  However, the bit at the end -  "Can still keep the domain field blank in the session policy" did.  I checked the session profiles (there are 2 automatically created by the intergration wizard) on the ADC and noticed the SSO domain was populated.  I removed the references to the local domain name.  Still using userPrincipalName and it is working.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...