Had a case earlier today where a customer wanted to configure Netscaler to authenticate with UPN instead of SamAccountName. And using UPN instead of SamAccountName makes sense in many cases, since it easier for users to remember their email-address instead of their username. So in this scenario my samAccoutName is msandbu and my UPN is [email protected]
Now by default Netscaler is setup with samAccoutName under server logon name attribute. This defines what kind of account name you are allowed to logon with using Netscaler.
If you try to logon with UPN when SamAccountName is defined you will get this kind of error message on the StoreFront Server.
So Storefront strips the domain info sent from the Netscaler and tries to validate the credentials to Active Directory.
So how to fix this ?
You have to define the SSO name attribute in the LDAP credential, to samAccountName.
Then the Netscaler firstly validates the UPN, get the SamAccountName of the user and then forwards that to Storefront and logs in.
Important to remember that Storefront always tried to revalidate the info from Netscaler