on Jun 14, 2016Article Content
| Article Number | 000031680 |
| Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.4.1X, 10.5.0.X Platform: CentOS |
| Issue | When using AD external authentication with "userPrincipalName" as the user login attribute, if the upn username exceeds 20 characters, Security Analytics fails to authenticate the user. To see this issue, create an AD user with a username greater than 20 characters. An example would be the upn of myBigLongUserNameIsVeryLong@mydomain.com. The username is myBigLongUserNameIsVeryLong, the domain suffix for the upn is mydomain.com and the @ is a delimiter. Although the username entered is correct, SA cannot resolve the name when it is above 20 characters, and the authentication fails. Note that the samAccountName by default is restricted via AD schema in AD to 20 characters, but the username portion of the upn in AD has no such restriction. As well, the internal database for SA also imposes no restriction. |
| Cause | This has been determined to be flawed functionality in version 10.X through 10.5.0.X |
| Resolution | This issue is fixed in 10.5sp1. 10.5sp1 may be downloaded from https://knowledge.rsasecurity.com. |
| Workaround | If you are unable to upgrade, create an internal user for the failing account(s), or use samAccountName vs upn for the login attribute. |