000012134 - How to map login name to UPN name in RSA Authentication Manager 8.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012134
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
IssueUser will be using domain_name\username when authenticating to a Windows machine.  However, the username in RSA Authentication Manager is defined as username@domain name.
As an example, a  customer has multiple identity sources with different domains, he wants to use NTLM-UPN mapping with Authentication Manager 8.0.  The RSA Authentication Agent for Windows is configured to send the user ID as domain\username and the real-time monitor shows itservices\jsmith, so the agent is working as expected. The user types itservices.local\jsmith on the authentication agent on Windows; however Authentication Manager is supposed to convert it to jsmith@itservces.com, as per the mapping.
  1. Launch the Operations Console on the primary server.
  2. Navigate to Deployment Configuration > Identity Source
  3. Click on the identity source and choose Edit.
  4. Click on the Map tab.
  5. Under Directory Configuration - User Tracking Attributes, next to UserID and Maps to, set the value to userPrincipalName.
  6. Launch the Security Console and login as a super admin.
  7. Navigate to Setup > System Settings.
  8. Under Authentication Settings, click on Agents.  
  9. Scroll to Domain Name Mapping.
  10. For each identity source, enter the following data:
    1. In the NTLM Name text box, enter the proper NTLM name.
    2. In the UPN Name box, enter the UPN name.
    3. Press Add.
    4. When done, click Update.
For example,

  
NTLM Name

  

  
UPN Name

  

  
domain1

  

  
domain1.com

  

  
domain2

  

  
domain2.com

  

  
internaldb

  

  
internaldb.com

  

  1. On the RSA Authentication Agent, launch the RSA Control Center.
  2. Select Advanced Settings.> Challenge Settings.
  3. Select the option to users in a group.
  4. Check the box Send domain name /username?
  5. From the Authentication Manager primary, launch the real time authentication activity monitor (Reporting > Reports > Real Time Monitor > Real Time Authentication Activity and press Start Monitor).
  6. Logon to the Windows machine with the agent installed using user name and passcode and watch the authentication monitor to see the results. You should see a notice a passcode accepted message for the user.
Legacy Article IDa63900

Attachments

    Outcomes