000031280 - Challenging users based on Active Directory group membership is not working consistently with RSA Authentication Agent 7.2 for Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031280
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2
  • Users that are nested members of the challenge group do not get challenged in the same way.
  • By enabling verbose tracing on the RSA Authentication Agent, the log file C:\ProgramData\RSA\LogFiles\SIDAuthenticator(LogonUI).log contains the following error:
2015-09-10 18:07:39.333 5524.3312 [V] [ADSIHelper::recursiveIsUserInGroup] The user was not found in the group,
but unresolved SIDs were found.  It is not possible to determine if user is in group or notReturn
2015-09-10 18:07:39.333 5524.3312 [V] [ADSIHelper::recursiveIsUserInGroup] Recursive call returned false,
indicating an error during processing, so breaking out of loop
2015-09-10 18:07:39.333 5524.3312 [E] [ADSIHelper::recursiveIsUserInGroup] Caught a bool.
CauseThis bug was reported in AAWIN-1977 and fixed in the newer version of the RSA Authentication Agent for Windows 7.2.1.

To enable verbose logging on the agent, follow the steps below:

  1. Login to the machine on which the RSA Authentication Agent 7.2 is installed.
  2. Launch the RSA Control Center (Start > Programs > RSA Security > RSA Authentication Manager Control Center).
  3. Enable tracing under Advanced Tools > Tracing.
  4. Attempt the logon.
  5. From Windows Explorer, navigate to C:\ProgramData\RSA\LogFiles and copy the SIDAuthenticator(LogonUI).log.

To resolve the issue, uninstall the existing RSA Authentication Agent for Windows 7.2 from the machine. Download and install the latest version of the RSA Authentication Agent for Windows.