Symptoms
On Windows Server 2025, an unexpected authentication behavior occurs when logging into Parallels RAS Console or Parallels RAS Client for Windows using a User Principal Name (UPN) that includes an invalid or non-existent domain.
In this scenario, authentication succeeds as if only the SAMAccountName portion of the username was used.
This differs from previous Windows Server versions (e.g., 2019, 2022), where authentication required a valid UPN and domain.
Impact: This behavior can cause failures in remote operations such as agent deployment or host management within Parallels RAS environments.
- Users can log in using credentials in the format
username@invaliddomainon Windows Server 2025. - Authentication succeeds even though the domain after
@does not exist or is unrelated to the account. - Issue does not occur on Windows Server 2019 or 2022.
- Remote operations (e.g., agent push, adding Azure Virtual Desktop hosts) fail due to incorrect or unresolvable credential references.
Cause
Windows Server 2025 introduces changes in Microsoft’s authentication APIs (notably LogonUser and GetUserNameEx).
When a UPN is provided, the system authenticates using the SAMAccountName and ignores the domain suffix.
Example:
adminuser@invaliddomain.com authenticates as adminuser, even though invaliddomain.com does not exist.
This leads to mismatched credentials during subsequent remote operations in Parallels RAS.
Resolution
Currently, this behavior appears to be a Windows Server 2025 change and is not seen in earlier versions.
Recommended actions:
- Use valid UPNs or SAMAccountName when logging into Parallels RAS components on Windows Server 2025.
- Ensure UPN suffixes exist in Active Directory and match the user’s configured UPN.
- Monitor Microsoft documentation for updates or fixes related to authentication behavior.
- Parallels will provide additional guidance or workarounds in future RAS updates if confirmed as a Microsoft-side issue.
Was this article helpful?
Tell us how we can improve it.