LDAP authentication fails with error "user <username> not found" if using UPN to login Gateway
Article ID: CTX579186
Updated On:
Description
LDAP authentication fails if using UPN (userPrincipalName) to login Gateway. When running /tmp/aaad.debug log on NetScaler, the following error "user <username>@domainname.com> not found" is printed in logs.
/usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[528]: receive_ldap_user_search_event 0-2: ldap_first_entry returned null, user user1@test.com not found
/usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5460]: send_reject_with_code 0-2: Not trying cascade again 4009
Resolution
Solution 2: Set Server Logon Name Attribute to "userPrincipalName" in LDAP Server of NetScaler.
In NetScaler GUI,
1. Navigate to Citrix Gateway > Policies > Authentication > LDAP > Servers.
2. Select and edit ldap server.
3. In the Other Settings section, set Server Logon Name Attribute set to userPrincipalName.
4. Click "OK" to complete the changes.
Problem Cause
Server Logon Name Attribute is "sAMAccountName" in LDAP Server setting.
add authentication ldapAction 10.x.x.x_LDAP -serverIP 10.x.x.x -ldapBase "dc=test,dc=com" -ldapBindDn administrator@test.com -ldapBindDnPassword 40xxxxxxxxxx266c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_11_28_11_31_06 -ldapLoginName sAMAccountName -secType TLS -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberof
NetScaler will use "sAMAccountName=<username>@domainname.com" as LDAP filter to search the user in LDAP server. However, the sAMAccountName format generally is domainname\username and username@domainname.com is UPN format in LDAP server, so NetScaler fails to search the user.
The following message is printed in aaad.debug log.
/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[1384]: ns_ldap_search 0-2: Searching for <<(& (sAMAccountName=user1@test.com) (objectClass=*))>> from base <<dc=test,dc=com>>
