Symptoms
Issue with accessing Published application and Publisesd Desktop after changing UPN suffix.
Error occurred when one of the AD users is receiving an “Incorrect password or username”. The following Security Log is visible on RDSH:
Cause
0xC0000064 - Username does not exist
As per Microsoft
“The UPN in the certificate does not match the UPN defined in the user's Active Directory user account. Correct the UPN in the smartcard user's Active Directory user account or reissue the smartcard certificate so that the UPN value in the SubjAltName field the matches the UPN in smartcard users' Active Directory user account. We recommend that the smart card UPN matches the userPrincipalName user account attribute for third-party CAs. However, if the UPN in the certificate is the "implicit UPN" of the account (format samAccountName@domain_FQDN), the UPN does not have to match the userPrincipalName property explicitly.”
Currently issued certificate for user evgeny.1 contains SAN with a suffix of @test-cmp.local
SAN contains “@test-cmp.local”
The AD user object contains a different UPN suffix that does not mach the SAN found in the user’s certificate
UPN suffix is “@prls.ev.dev“
Attempting to launch an application with such configuration will fail with the same error as the customer’s.
Event ID 4625 indicating the reason for logon failure
Resolution
Certificate only needs to be re-issued if the current certificate contains a custom UPN suffix instead of a base suffix.
Was this article helpful?
Tell us how we can improve it.