000031680 - Security Analytics 10.4.X, 10.5.0.X: unable to login with a user upn name that exceed 20 characters when using external AD auth

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031680
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.1X, 10.5.0.X
Platform: CentOS
IssueWhen using AD external authentication with "userPrincipalName" as the user login attribute, if the upn username exceeds 20 characters, Security Analytics fails to authenticate the user.  
To see this issue, create an AD user with a username greater than 20 characters. An example would be the upn of myBigLongUserNameIsVeryLong@mydomain.com. The username is myBigLongUserNameIsVeryLong, the domain suffix for the upn is mydomain.com and the @ is a delimiter. Although the username entered is correct, SA cannot resolve the name when it is above 20 characters, and the authentication fails. Note that the samAccountName by default is restricted via AD schema in AD to 20 characters, but the username portion of  the upn in AD has no such restriction. As well, the internal database for SA also imposes no restriction.
CauseThis has been determined to be flawed functionality in version 10.X through 10.5.0.X
ResolutionThis issue is fixed in 10.5sp1.  10.5sp1 may be downloaded from https://knowledge.rsasecurity.com.
WorkaroundIf you are unable to upgrade, create an internal user for the failing account(s), or use samAccountName vs upn for the login attribute.