SSO fails to backend servers which are expecting the username in Domain\Username format if SSO Domain is different than Login Domain.
An SSO failure will cause the user to be prompted for Credentials again.

Workaround: Configure user expression in UPN format. This will cause the Domain information to be NULL during SSO and UPN will include the domain information.

For server that cannot authenticate using UPN, a permanent fix is added in the code to prefer the domain provided in SSO expression.
This issue is fixed in 12.0.53.x and 11.1.56.x

This is tracked under ID: 689684 for reference.

---

Problem Cause

SSO user expression not honoured for domain information in domain\username format.
The NetScaler will use complete Domain in FQDN format during SSO to backend servers.
NetScaler will prefer the Domain obtained during Login to the Authentication Vserver.
If SSO user expression is used to obtain user in Domain\Username format, Domain information is ignored in favour of the login Domain.



As in the above, the Domain information is in FQDN form and is the Login Domain

The NetScaler is not able to override the Domain information when a Traffic policy is configured to use SSO user expression to change/override the Domain to be used for SSO to backend server