"Cannot complete request" error with SAML enabled store in Multi-Domain environment

Two-way Trust is added for the two domains where Infrastructure servers (StoreFront, Federated Authentication Server, etc.) are in Domain A and Users are in Domain B that is two different domains. Azure AD is the Identity Provider

Shadow accounts are created in Domain B for users which have an alternate UPN suffix as domain.onmicrosoft.com and they logon as test@domain.onmicrosoft.com

Getting below errors from StoreFront verbose logs - 

00003537        10:19:24 AM        [2256] Citrix.DeliveryServices.Kerberos Verbose: 0 :         
00003538        10:19:24 AM        [2256] Authentication Attempt for user: test@domain.onmicrosoft.com         
00003539        10:19:24 AM        [2256] Citrix.DeliveryServices.Kerberos Information: 0 :         
00003540        10:19:24 AM        [2256] Attempting Kerberos authentication with a UPN, and client realm: <null>    
00003541        10:19:24 AM        [2256] Citrix.DeliveryServices.Kerberos Information: 0 :         
00003542        10:19:24 AM        [2256]  Kerberos authentication: Failed. Authentication Status: C000006D Sub-status: 0000 [The attempted logon is invalid. This is either due to a bad username or authentication information.]         

Wireshark from StoreFront server shows an error "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"

 

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Please make sure that the below settings are done on the AD side - 

1. Add the StoreFront and FAS computer accounts along with User account (who needs to login) to the Windows Authorization Access Group of Domain B 
2. Enable Name Suffix Routing for the Trusted Domains as per below steps - 

   1. Open Active Directory Domains and Trusts.

   2. In the console tree, right-click the domain node for the domain you want to administer, and then click Properties.

   3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties.

   4. On the Name Suffix Routing tab, under Name suffixes in the Domain B , click the unique name suffix (domain.onmicrosoft.com) for which you want to Enable the routing status, and then click OK.
      
      
      
       

---

Problem Cause

1. Permissions issue where StoreFront and FAS servers don't have access to the AD user object in the other domain
2. Name suffix routing is not enabled for the Trusted Domains

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-err-c-principal-unknown-s4u2self-request
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784334(v=ws.10)?redirectedfrom=MSDN