A new user is added in the customer AD.

The user logs on and is asked to to register for MFA.

However, when searching for the user account an error “user not found”  was seen.

 if the user tries again after a few hours the logon is possible and no error is seen.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

There is  a replication issue in the environment .

Newly added user accounts are not being replicated quickly enough to all the AD locations and Doman Controllers.

So a Cloud Connector in NA for example will not be able to enumerate a user who is added in EMEA for a couple of hours until the replication finishes.

This affects  the Citrix Login as when a user logs a random Cloud Connector will be contacted .

So, for instance an EMEA user may be directed to a Cloud Connector in NA .This Cloud Connector  will contact it's local Domain Controller. It may not find the  user in AD and the logon fails.

Once the AD replication issue is resolved then the user will be immediately be able to logon.

 

 

---

Problem Cause

There are different Resource Locations with 5 Cloud Connectors in total.
To test if the AD information is available from all Cloud Connectors the following script should be run on on every Cloud Connectors ,
Substitute the an example username in $username

 

$am = Add-Type -AssemblyName System.DirectoryServices.AccountManagement

 

$pc = [System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain)

 

$username=' domain\usernamer’

 

[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($pc,$username)

 

The purpose of the script was to test if the username could by enumerated in AD .

On the first 2 Cloud Connectors the username was correctly found in AD .

However, there were 2 Cloud Connectors where the script was unable to enumerate the newly added user .

So there is clearly a replication issue in the environment . Newly added user accounts are not being replicated quickly enough to all the Ad locations .