000039454 - How to verify that RSA Authentication Agent for Windows can perform challenge user lookups across different Active Directory, AD Domains or Forests

Document created by RSA Customer Support Employee on Nov 18, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039454
Applies ToRSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x, 7.4, 7.3.x
Platform: Windows
Platform (Other): Challenge group for users across 2 Domains
O/S Version: 10
 
IssueThe RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide (auth_agent_install_admin_guide.pdf), p. 23 under Create Groups of Users to Challenge with RSA SecurID, states "Confirm that groups that you create are recognized by Active Directory, [AD] as a group and can be queried. For detailed instructions on creating groups, see your Microsoft Windows documentation."

This means that when user challenge is based on group membership (as opposed to challenge everyone), the user lookup involves a Get-ADPrincipalGroupMembership command, which might:
  1.  Simply look in all sub-domains under a single AD Domain, or
  2.  Need to lookup from one AD forest to another, different AD forest - in which case there would need to be a 'trust' relationship between forests, or this lookup will fail.

This Knowledge Base, KB article will demonstrate how to use Windows PowerShell Get-ADUser -Identity to verify that Windows agents can find an AD user in order to successfully challenge that user.

Symptoms that AD challenge User lookup failed
Windows Agent log file
===SIDAuthenticator(LogonUI).log===
ADsOpenObject failed.
[sidChallenge::checkCachedSettings] Cannot open challenge cache data key for user <UserID>
[ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = <Domain_NT4_name>\<UserID>

===SIDCredentialProvider(LogonUI).log===
[sidChallenge::checkCachedSettings] Caught error: 0x2
[sidChallenge::checkCachedSettings] userLocation = LOCATION_UNKNOWN
 
Tasks
  1. Procure a Windows platform that has Powershell.
  2. Ensure PowerShell includes the Active Directory Module.
  3. Test individual UserID lookups by SamAccountName or another identifying attribute, for example
        Get-ADUser -Identity <UserID>

Details

  1. Procure a Windows platform that has Powershell
    PowerShell_search
     
  2. Ensure PowerShell includes the Active Directory Module.
    Get_ADUser_RSA_Command_NotFound
    If the AD Module is not installed in PowerShell, you will get the CommandNotFoundException
    Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     
  3. Test individual UserID lookups by SamAccountName or another identifying attribute, e.g.
        Get-ADUser -Identity <UserID>

    Get_ADUser_UserID_RSA_samaccount_Found
ResolutionOnce you are satisfied that PowerShell is working and its Active Directory Module is installed, the basic command to lookup a UserID or SamAccountName is:

     Get-ADUser -Identity <UserID>
Where <UserID> is a logon name or SamAccountName.

A Successful lookup returns information about the UserID.
User Found

Notice that you can optionally search a specific Domain Controller Server with the -server setting.

An unsuccessful lookup returns User Not found, ObjectNotFound.

Get_ADUser_UserID_Jap_NotFound
If you cannot find a specific UserID or SamAccountName with Get-ADUser -Identity from the Windows Agent, check the Authentication Manager Security Console to see if this userID exists in AM. Search across all Identity Sources if necessary.

SC-IDentity-Users-AcrossAll.png

If you have demonstrated that a UserID is visible in AM, but you have been unsuccessful in finding the same UserID with Get-ADUser -Identity, You might need to try various PowerShell Get-AD* commands in order to find an exact match on SamAccountName, or to search for an entire Domain by all users in specific organizational unit ou.

     Get-ADUser -Filter "SamAccountName -eq '<UserID>'" 
     Get-ADUser -server "<DomainControllerName>" -Identity <UserID>
     Get-ADUser -Filter * -SearchBase 'OU=vcloud Users,DC=2k12-vcloud,DC=local'              
- this last command gets all vcloud users from the ou – thousands!!!

You can check a found user's group memberships with the following commands
    Get-ADPrincipalGroupMembership <SamAccountName>
 
  Get-ADPrincipalGroupMembership <UserID> | select name

GrpMembership
    
If you have multiple Domains and Forests, you might need to Get-ADUser -Identity for several different users from different Domains, Forests, or Authentication Manager Identity Sources.

 
NotesUltimately you might need to bring in the Directory team to get an understanding of the entire structure, in order to search across all directories.  Sometimes you will find it is simply easier and more secure, to challenge everyone and avoid the need to lookup across multiple forests.

Attachments

    Outcomes