Jump to content
Welcome to our new Citrix community!

Can't login with UPN to Storefront


Corey Tracey1709163359

Recommended Posts

In setting up SF 2203 LTSR CU1 for Gateway integration, I was getting cannot complete your request.  Working my way through this, I found I can't login to SF with the UPN in question (no one can, not just me).

 

Forest with child domains;  SF/DDC servers are one child domain, AD servers in the other child domain.  I can log into Storefront server directly via RDP using UPN in question.

 

Storefront store set to allow all domains;  I can login to domain using pre-windows 2000 name:  domain\username but can't login with UPN to same domain.  SF shows a login expired message;  I don't have any gateway configured at the moment so this login expired message is peculiar.  

 

I can TNC to AD servers on ports 88, 389, 636 in that child domain fine from SF Server.  No errors at all in SF Event Viewer, Citrix Delivery Services.

 

Anyone else see this behavior?    Next step is Wireshark

 

image.png.421646ce914fdc9e41e141e1f9fd27ff.png

 

Edited by Corey Tracey
domain update
Link to comment
Share on other sites

Might have answered my own question;  set verbose logging on SF and used Guy Leech's PowerShell script to display logs.  Found that one DDC LB VIP was throwing a bad credentials message "XML Service returned access token failure with reason:  failed", Access token treated as bad password.  Removed site in question and UPN worked.

 

Thinking about this more;  we don't have forest level trusts for the two AD domains so UPN suffix routing should not work.  I forgot the UPN auth won't work against the other domain/site.

 

Our setup was Forest A with two domains (Domains 1 and 2) , Forest B with one domain (Domain 3) with external trust.  We have alternate UPN configured in Forest A, Domain 1.  We had DDC LB VIPs for Domain 1 and Domain 3 in the Storefront.  UPN worked for Domain 1 once I removed Domain 3 DDC LB VIP from Storefront.  I should not have had Domain 3 in there to begin with since we don't have forest level trusts between them.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...