Symptoms

In environments where Citrix FAS is used with an external trust between Active Directory forests, user logon may fail with the following symptoms:

• Users in the trusted forest are unable to log on when their User Principal Name (UPN) suffix does not match the Active Directory domain name of the external trust.

• Event logs may show “Incorrect username or password” errors despite valid credentials.

• Smart card or certificate logon fails because the UPN suffix embedded in the issued certificate cannot be resolved across the trust.

Example scenario (based on suffix routing behavior):

• ForestA has a domain contoso.com and an alternate UPN suffix fabrikam.com.

• ForestB trusts ForestA.

• A user in ForestA with UPN user@fabrikam.com cannot authenticate through the external trust, because ForestB expects the certificate UPN suffix to match the domain name in ForestA (contoso.com).

Cause

This issue occurs due to a Microsoft limitation with certificate-based logon across external trusts.

According to Microsoft (KB dd560679):

Certificate logon may fail if the UPN suffix in the certificate does not match the actual domain name in the external trusted forest.

The UPN suffix in the certificate must directly map to a trusted domain name. Custom UPN suffixes that do not align with the domain name are not routable in this context.

"Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items." 

Workaround

As documented in Microsoft guidance (Event ID 17 – KFSO not working in external trust), administrators can configure Kerberos Forest Search Order (KFSO) via Group Policy to allow logon when multiple UPN suffixes exist in the trusted forest.

Steps (high level):

1. Configure the Kerberos Forest Search Order Group Policy setting under:
   Computer Configuration > Administrative Templates > System > KDC

2. Add the trusted forest/domain explicitly to the KFSO list.

3. Apply the GPO to the domain controllers that handle authentication for the external trust.

Limitations

• KFSO only works when the external trusted forest contains a single domain.

• If the second forest contains multiple domains, KFSO will not resolve custom UPN suffixes correctly.

• In multi-domain environments, the external trust must be replaced with a forest trust, which enables proper UPN suffix routing across all domains in the forest.

• Administrators must ensure that the UPN suffix used in certificates matches the external trust domain name whenever possible, as this remains the only fully supported configuration.

Recommendation

• For environments where users have custom UPN suffixes that do not match the external trust domain, consider normalizing UPN suffixes to align with the trusted domain name.

• If custom UPN suffixes must be preserved, KFSO can be used as a workaround, but only in single-domain external trusts.

• If the second forest contains multiple domains, configure a forest trust instead of an external trust to enable UPN suffix routing.

• Validate certificate templates in FAS to ensure the issued certificate UPN matches the domain configuration.

When using Citrix FAS in environments with an external trust between forests, users may be unable to log on if their UPN suffix does not match the domain name in the trusted forest. This limitation is caused by Microsoft restrictions on certificate-based authentication in external trusts.