000014484 - Authentications fail  'Principal does not belong to any groups activated on restricted agent'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014484
Applies ToSecurID Appliance 3.0
RSA Authentication Manager 7.1
User is in a group that has been given access to the agent
Users and groups are in Microsoft Active Directory
IssueAuthentications fail, "Principal does not belong to any groups activated on restricted agent"
Cause

The LDAP user specified when defining the identity source may not have the permissions needed to access the group.  To verify this put the text below into a file named listusergroups.vbs, then while logged into the Active Directory server as the LDAP user run it as follows:


cscript listusergroups.vbs "cn=<username>,ou=myou,dc=MyDomain,dc=com" > ouput.txt
(substitute everything in quotes for your users DN)


 


Option Explicit


Dim objGroupList, objUser, strDN


' Check for required argument.
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Required argument <Distinguished Name> missing. " _
        & "For example:" & vbCrLf _
        & "cscript listusergroups.vbs cn=User2,ou=Sales,dc=MyDomain,dc=com"
    Wscript.Quit(0)
End If


' Bind to the user object with the LDAP provider.
strDN = Wscript.Arguments(0)
On Error Resume Next
Set objUser = GetObject("LDAP://" & strDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User not found" & vbCrLf & strDN
    Wscript.Quit(1)
End If
On Error GoTo 0


' Bind to dictionary object.
Set objGroupList = CreateObject("Scripting.Dictionary")


' Enumerate group memberships.
Call EnumGroups(objUser)


' Clean up.
Set objGroupList = Nothing
Set objUser = Nothing


Sub EnumGroups(ByVal objADObject)
    ' Recursive subroutine to enumerate user group memberships.
    ' Includes nested group memberships.
    Dim colstrGroups, objGroup, j
    objGroupList.CompareMode = vbTextCompare
    colstrGroups = objADObject.memberOf
    If (IsEmpty(colstrGroups) = True) Then
        Exit Sub
    End If
    If (TypeName(colstrGroups) = "String") Then
        ' Escape any forward slash characters, "/", with the backslash
        ' escape character. All other characters that should be escaped are.
        colstrGroups = Replace(colstrGroups, "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrGroups)
        If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then
            objGroupList.Add objGroup.sAMAccountName, True
            Wscript.Echo objGroup.distinguishedName
            Call EnumGroups(objGroup)
        End If
        Set objGroup = Nothing
        Exit Sub
    End If
    For j = 0 To UBound(colstrGroups)
        ' Escape any forward slash characters, "/", with the backslash
        ' escape character. All other characters that should be escaped are.
        colstrGroups(j) = Replace(colstrGroups(j), "/", "\/")
        Set objGroup = GetObject("LDAP://" & colstrGroups(j))
        If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then
            objGroupList.Add objGroup.sAMAccountName, True
            Wscript.Echo objGroup.distinguishedName
            Call EnumGroups(objGroup)
        End If
    Next
    Set objGroup = Nothing
End Sub

ResolutionThe script will output all the users groups including those that are nested.  If the script fails it will indicate the group that the LDAP user cannot access.  Correcting the Active Directory permissions to allow access should resolve the issue. 
Legacy Article IDa47028

Attachments

    Outcomes