When viewing Monitor or Studio, the list of user names may appear in a mix of different formats (UPN, DisplayName, NETBIOS, SID).

The current solution is to set the PreferredAccountName via Remote PowerShell SDK. This setting can be edited in the Broker's site setting to force all names to appear in a certain way. The options are SamNameUpnFallback (default), SamName, UPN.  It is important to note that the SAMName and UPN options will not fall back to another field if the field is not available in the IDP, resulting in the user SID showing up in place of their username. For instance, non-AD identity providers will not have a SAMName, and some AD deployments will not have UPNs for all users or groups.  Generally, the UPN option appears to be popular, and alleviates some of the display issues where customers prefer their user lists to show up in UPN format.

Citrix is currently investigating other options, with more information to be provided in the future.

---

Problem Cause

This issue can happen in the User Lookup Process in a scenario similar to the following:

• Workspace is configured to use AzureAD for login. AzureAD user accounts have Active Directory Security Identifier (SID) claims synced from an on-premesis Active Directory domain. Applications are assigned to AzureAD group Object IDs (OID) from web Studio. When a user launches a session, workspaces sends all of the user's non-AD OID, and synced AD SID, claims to the Broker with an AzureAD Directory Context. The session, which is running as an AD user, is associated with the AD SID and AzureAD DirectoryContext combination supplied by Workspace. In the worst case, the Application is assigned to the user's AzureAD OID, and the session runs under the user's AD SID. This leads to what appears to be duplicate users when conducting a search using get-brokeruser and the username.  Two user objects returned from Get-BrokerUser with this behavior are shown below for reference:

• The two user objects represent two different claims from a single user in AzureAD, indicated by the "PrimaryClaim" field. The first claim is the synchronized AD SID from their on-premises AD, and the second is the AzureAD OID string formatted by Citrix Cloud to include the OID:/azuread/.. prefix.  Both SIDs are looked up in AzureAD due to the DirectoryContext's IdentityProvider being AzureAD, and thus return identical username information.  This makes it appear that there are duplicate users in the Broker Database, but they are in fact different.  It is important to keep track of which user claim is assigned to a resource vs which user name.
• Due to the behavior shown in user with AD SID S-1-5-21-1111111111-2222222222-3333333333-4444 from the example above, the user name appears in a UPN format instead of the traditional SAMName (domain\username) format that was typically seen in on-premises deployments for AD SIDs. This leads to user lists containing both UPNs and SAMNames as usernames for AD SIDs, and leads to inconsistent names in UI name lists.

Use of multiple Identity Providers within Citrix DaaS may result in user names appearing in a mix of formats.