Jump to content
Welcome to our new Citrix community!
  • 0

"Invalid Credentials" from Receiver (external), but Web Interface works fine

Robert Schaaf


I have a problem related to the username used to logon to the webinterface and the workspac app. We are in the progress of a UPN change where the UPN becomes the email adres. My username is e.g. john which is SamAccountname. My UPN is john@domain.com. My email adres is john.doe@domain,com. The netscaler is configured with 2 LDAP servers one is accepting Samaccountname and the other is accepting UPN. All works fine for the receiver for web and for the workspace app.

Now when i change in active directory the UPN to emailadress, so my login name becomes john.doe@domain.com and leave the ldap servers as they are I still can login fine on the receiver for web internal and external. However the workspace app works fine internally, but externally i can pick a store but when i want to start an app or desktop it gives me invalid username or password. I cannot understand how changing a UPN has a problem with getting my credentials right. Anyone an idea? Do i need to change on the netscaler the UserPrincipalName to mail? We have a phased transision so hopefully thats not the case?

Link to comment

6 answers to this question

Recommended Posts

Because it is different internal vs external, I assume that internal does not use the NetScaler for connection. Have you reviewed your Session Profile in the NetScaler to ensure settings for Receiver/Workspace are being applied as expected? (Workspace does send different headers from Receiver which broke some things here for us.)

Another thought would be the SSO Name Attribute setting in your UPN LDAP policy also being set to userPrincipalName. (Seems likely not to be the issue since it seems to work for StoreFront for Web though).



Link to comment

Based solely on the information in your initial question, I am not 100% convinced that UPN is being used currently.


You say:

SamAccountName = john

UPN = john@domain.com


I see john = john in those two instances.


When UPN changes to john.doe@domain.com, I see john.doe != john 

Honestly, with the information provided, I can't say where it's broken, and I could be totally off base on what I am suggesting as issues. 

Link to comment

I am sorry not my intention to withhold information.

your first statement is right user can login with either john or john@domain.com.

ldap servers configured that way.

1 server with serverlogonname attribute on SamAccountName and 1 server with serverlogonattribute on UPN. Both servers SSO name attribute on UPN.

everything works fine, except when i change upn in active directory to emailadress, external authentication fails.


Link to comment

I was going to set up a test here, but I can't do that at this time without totally messing with my test environment because I use RADIUS auth for Receiver now, not LDAP. 


Going to throw out some ideas for testing because it sounds like it should work to me too.


Have you looked at the aaad.debug  log? Is it perhaps failing the first LDAP and not attempting the second for some odd reason?

Have you tried changing the binding order of the LDAP servers?  How about just disabling/unbinding the SamAccountName policy during a test time? 

In StoreFront, have you checked the Manage NetScaler Gateways configuration? Mine is set to Domain and Security Token, but I (think I)  have read that it shouldn't be (but mine works so I'm not going to change it). 
It's not really clear where the error is being generated from either, is it when logging into Receiver or when attempting to launch an application, but I'm assuming it's logging into Receiver. I would again check the session profiles. 

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...