Problem: 
In Studio and Director, only the netbios names of the users in the remote trusting domain are shown. The UPN value for users is blank. 
Attempting to view session information in Director fails. Instead you see "Cannot retrieve machines" and "No details are available". An error diaglog shows "Cannot find the referenced object."

In Studio, when adding users to resources, the UPN for user accounts IS shown.  

Scenario:   

• User accounts are in a remote domain that has a transitive, two-way trust with the domain containing the Citrix Site.
• Transitive two way trust where the Trusted domain contains the Citrix site and the trusting domain contains user accounts. 
• In the case that prompted this article, the domain containing the Citrix site was Domain Functional Level 2012 and the domain with the users was Domain Functional Level 2016.

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

1. In Active Directory Computers and Users in the trusting domain, browse to the location of the Domain Controllers.
2. Right-click DDC and click Properties.
3. Click the Security tab.
4. Click Add and click Locations to change the trusted domain that contains the Delivery Controllers.
5. Click on Advanced, and click on Object Types.  Choose ‘Computers’
6. Select all the relevant Delivery Controllers or the Group with the Delivery Controllers (recommended) and click OK.
7. Grant the rights – Read and Allowed to authenticate, as displayed in the following screen shot:

---

Problem Cause

This may be a result of the mismatch in the Active Directory functional levels or some other Selective Trust configuration that does not allow the Delivery Controllers to authenticate to the Active Directory servers containing the user accounts.  

• When Citrix is resolving the users' properties, the context is the Delivery Controller's Machine Account. In this case, the machine account for the domain controllers did not have the "right to authenticate" in the remote domain. 
• Why are the UPN's visible in Studio when adding users to Delivery Groups? When using Studio, the security context is the Studio Admin that is browsing the remote domain. ​​​

How can this cause be verified? From network traces performed using the steps below, you can see the Delivery Controller does not have permission to authenticate. Using PSEXEC to launch Powershell as "System", you can run dsquery and see that the response is blank. Running the same query in an ordinary elevated command prompt as a Citrix admin, the dsquery results will contain the UPN.

1. Copy PSEXEC on the delivery controller ( https://docs.microsoft.com/en-us/sysinternals/downloads/psexec ) .  It is part of Sysinternals PSTools. For these instructions, unzip PSTools to C:\PSTools.
2. Open an elevated cmd prompt.  Enter:  c:\pstools\psexec.exe -i -s powershell.exe
3. Check whomi to may sure you are running the command as NTSystem.
4. Start netsh trace:  netsh trace start capture=yes tracefile=c:\temp\system-dsquery.etl maxsize=4096 filemode=circular
5. Query upn of users in the remote trusting domain.  For example:   dsquery user “dc=corp,dc=contoso,dc=com” -o upn
6. Stop the netsh trace:  netsh trace stop

For a working trace, use a normal elevated command prompt in the context of a Studio Admin.  

1. Open an elevated command prompt.
2. Start netsh trace:  netsh trace start capture=yes tracefile=c:\temp\admin-dsquery.etl maxsize=4096 filemode=circular
3. Query upn of users in the remote trusting domain.  For example:   dsquery user “dc=corp,dc=contoso,dc=com” -o upn
4. Stop the netsh trace:  netsh trace stop

In the SYSTEM-DSQERY traces, note KRB error:  KRB5KDC_ERR_POLICY NT Status: Unknown error code 0xc0000413.**

This 0xc0000413 error leads to this Microsoft knowledge article:   A TGS request for the krbtgt account fails with KDC_ERR_POLICY and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xC0000413)

This matches the error seen “Referral was returned from the Server”, which means that the domain controller responding to the dsquery rejected the authentication request by the Delivery Controller.  From the Microsoft article, "This issue occurs when, as part of processing the LsalogonUser request, the Kerberos client must obtain an authentication ticket for the user from a domain controller in the user's trusted forest."

*The NETSH traces can be converted to *.pcapng using etl2pcapng.exe utility.