|Applies To||RSA Product Set: RSA SecurID|
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x, 7.4, 7.3.x
Platform (Other): Challenge group for users across 2 Domains
O/S Version: 10
|Issue||The RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide (auth_agent_install_admin_guide.pdf), p. 23 under Create Groups of Users to Challenge with RSA SecurID, states "Confirm that groups that you create are recognized by Active Directory, [AD] as a group and can be queried. For detailed instructions on creating groups, see your Microsoft Windows documentation."|
This means that when user challenge is based on group membership (as opposed to challenge everyone), the user lookup involves a Get-ADPrincipalGroupMembership command, which might:
This Knowledge Base, KB article will demonstrate how to use Windows PowerShell Get-ADUser -Identity to verify that Windows agents can find an AD user in order to successfully challenge that user.
Symptoms that AD challenge User lookup failed
Windows Agent log file
[sidChallenge::checkCachedSettings] Cannot open challenge cache data key for user <UserID>
[ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = <Domain_NT4_name>\<UserID>
[sidChallenge::checkCachedSettings] Caught error: 0x2
[sidChallenge::checkCachedSettings] userLocation = LOCATION_UNKNOWN
|Resolution||Once you are satisfied that PowerShell is working and its Active Directory Module is installed, the basic command to lookup a UserID or SamAccountName is:|
Get-ADUser -Identity <UserID>
Where <UserID> is a logon name or SamAccountName.
A Successful lookup returns information about the UserID.
Notice that you can optionally search a specific Domain Controller Server with the -server setting.
An unsuccessful lookup returns User Not found, ObjectNotFound.
If you cannot find a specific UserID or SamAccountName with Get-ADUser -Identity from the Windows Agent, check the Authentication Manager Security Console to see if this userID exists in AM. Search across all Identity Sources if necessary.
If you have demonstrated that a UserID is visible in AM, but you have been unsuccessful in finding the same UserID with Get-ADUser -Identity, You might need to try various PowerShell Get-AD* commands in order to find an exact match on SamAccountName, or to search for an entire Domain by all users in specific organizational unit ou.
Get-ADUser -Filter "SamAccountName -eq '<UserID>'"
Get-ADUser -server "<DomainControllerName>" -Identity <UserID>
Get-ADUser -Filter * -SearchBase 'OU=vcloud Users,DC=2k12-vcloud,DC=local'
- this last command gets all vcloud users from the ou – thousands!!!
You can check a found user's group memberships with the following commands
Get-ADPrincipalGroupMembership <UserID> | select name
If you have multiple Domains and Forests, you might need to Get-ADUser -Identity for several different users from different Domains, Forests, or Authentication Manager Identity Sources.
|Notes||Ultimately you might need to bring in the Directory team to get an understanding of the entire structure, in order to search across all directories. Sometimes you will find it is simply easier and more secure, to challenge everyone and avoid the need to lookup across multiple forests.|