There is an article from Citrix explaining how to do this, but it is missing an important configuration step to make it work fully.
This is what the article says:
Make two LDAP server profiles pointing to the same LDAP server IP. All the values should be same in the configuration except one. The Server logon name attribute is different for both the profiles. One has ‘sAMAccountName’ and the other one will be ‘userPrincipalName’.
Now when the user tries to login with ‘domain\username’, they will be authenticated by the LDAP profile using ‘sAMAccountName’. And when they uses their email id, they will be allowed by the other LDAP profile.
So far so good. If you try this you’ll end up with the most common Storefront error “Cannot complete your request” and if you take a deeper look at the event logs on your Storefront servers, you’ll notice errors like “Event ID 10 & 7”
So how do we solve this?
What we need to do is having the Netscaler validating the userPrincipleName of the user in question, extracting its sAMAccountName and then forward it over to the Storefront server. To acheive this you need to reconfigure your UPN authentication profile by defining the “SSO Name Attribute” to “sAMAccountName”
Now, have both authentication policies boud to your access gateway VIP and test the configuration by logon on with either sAMAccountName or userPrincipleName.