000020339 - Users being challenged for SecurID that are not in the Challenge Group

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020339
Applies ToMicrosoft Windows NT 4.0
Microsoft Windows 2000
RSA ACE/Agent 5.0 for Windows
IssueUsers being challenged for SecurID that are not in the Challenge Group
With debug enabled, the aceclient.log contains the following data:
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:966 # Entering errGetGroupType()
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:971 # Local group
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:1005 # Leaving errGetGroupType(), result = 0
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:1263 # Calling errGetLocalMembers(), user = AD_Domain\username, group = \\Local_Domain\SDLocal
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:627 # Entering errGetLocalMembers()
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:628 # User name = AD_Domain\username
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:555 # Entering errGetGlobalGroups()
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:556 # User name = AD_Domain\username
[2408] 11:07:57.968 File:..\clntsrc\sdsid.c Line:418 # Entering GetDCMachine()
[2408] 11:07:58.250 File:..\clntsrc\sdsid.c Line:586 # Calling NetUserGetGroups()
[2408] 11:07:59.656 File:..\clntsrc\sdsid.c Line:596 # Leaving errGetGlobalGroups(), # of global groups found = 0
[2408] 11:07:59.656 File:..\clntsrc\sdsid.c Line:648 # Leaving errGetLocalMembers(), errGetGlobalGroups failed!, return -1073724706
[2408] 11:07:59.656 File:..\clntsrc\sdsid.c Line:1292 # Leaving errCheckUserInGroup(), return = -1073724706
[2408] 11:07:59.656 File:..\clntsrc\sdsid.c Line:1428 # Leaving dwCheckUserChallenge(), return = 1
[2408] 11:07:59.656 File:GNDLLENT.c Line:796 # User will be challenged
CauseIn a mixed Windows NT 4.0 and Windows 2000 environment, it is necessary to set a more relaxed security policy, since the Windows NT 4.0 authentication process will use anonymous (null) credentials to request the information
ResolutionWhen the Active Directory server is created, it is necessary to select the "Permissions compatible with pre-Windows 2000 servers" option. The same permissions can be added after the initial installation by running the following command on a Domain Controller:
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
For more information, see http://www.winnetmag.com/Articles/Index.cfm?ArticleID=8899.
 
Legacy Article IDa16098

Attachments

    Outcomes