Problem Definition:

Users by default must logon the UPN (User Principal Name) Suffix which is the default for the domain.  In a multitenant environment, this limits the customization and branding for each tenant organization.


By default, Active Directory user accounts use the active directory domain name as the UPN logon suffix.


CloudConnect supports the use of alternative UPN suffixes, however you must create them as needed. Use the following procedure to add alternative UPN suffixes to your domain, then bind the appropriate suffix to the appropriate user account:

Note: Application enumeration will fail of the user’s assigned Citrix Desktop Host has not been configured with at least the CloudConnect Desktop Host Configuration Utility Version 3.0.0 or greater.

Access your Active Directory Domain Controller with at least Domain Administrator privileges. Click the Start Menu and type “Active Directory Domains and Trusts.”

In the Active Directory Domains and Trusts console, verify that "Active Directory Domains and Trusts" is highlighted in the left hand tree.  Then choose the "Action Menu" and Select "Properties."


A dialogue box will appear.  Enter the suffix into the list box, click “Add,” and then “Apply.”  In this example, we add ‘’  You may add additional suffixes for different end user organizations as needed.

Close “Active Directory Domains and Trusts,” and edit the user account properties for the user(s) you would like to assign this logon suffix to in “Active Directory Users and Computers.”

In the User’s Account tab, choose the desired Suffix from the drop down menu. Click “Apply”, and then “Okay”

The custom suffix has been applied.  Note that it may take up to 10 minutes for CloudConnect to learn the suffix and update its UPN suffix routing tables.  The user’s logon experience will now look like this:


Additional Information:

This functionality is limited to systems joined to CloudConnect’s XenApp 7.7 farm (or greater).  Generic UPN suffixes will not be routed.  In case of a UPN suffix conflict or collision with two partner organizations, the suffix with the oldest registration prevails.

Note, you or your end user organization must be the official ICANN registrant of the domain name being used as a suffix. Failure to maintain appropriate registration in good standing with ICANN of the domain name in use may result in CloudConnect’s disabling the routing of the suffix without notice.

Applies To:

Microsoft Windows Server 2012 R2 Domain Controller with Windows Server 2012 R2 Forest Functional Level

Citrix XenApp 7.7 Citrix Desktops Only