After creating a licensing site in Directory Server 10.4.5 or upgrading Directory Server version 10.4.2 or older to version 10.4.5, sign-in will fail for Windows users meeting all of the following criteria:
- Users are from an identity provider that was automatically added to Directory Server.
- Users are signing in with the username and password fields on the STS sign in page without using the Windows Authentication button.
- Users are signing in using User Principal Name (UPN) username format (example@domain.com).
When an identity provider is automatically added for the Directory Server computer's current domain and all trusted domains, the domain SID is not being stored by Directory Server. This value is needed for UPN username format to work properly.
There are a few different workarounds to mitigate this issue.
Choose one of the options below:
- Disable Windows authentication for the identity provider(s) and save the change. Then, enable Windows authentication for the identity provider(s) and save the change again.
- For each affected identity provider, sign in as any Windows user by either using the Windows Authentication button in STS or signing in to the Directory Server administration console.
- Delete the affected identity provider(s). Then, manually register the affected identity provider(s) in Directory Server.