000013708 - Send both user name and domain name to the server during an RSA Authentication Agent for Windows authentication request

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000013708
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent for Windows
RSA Version/Condition:  7.1
 
Issue
  • This article explains how to send both user name and domain name to the server during an RSA Authentication Agent for Windows authentication request
  • Agent processing of NTLM name mapping
ResolutionThe RSA Authentication Agent for Windows can accept logins from users in the formats of username, username@domain and domain\username.  However, by default, it will remove the domain name, and send just the username to the Authentication Manager server.  The agent has a checkbox labeled Send the domain name and user name to RSA Authentication Manager instead of just the user name.  If this is checked, it will send a request in a format similar to domain\username.
However, it can do some normalization of the request.   With the RSA Authentication Agent 7.2.1 for Windows:
  • domain\username.  The agent will case-normalize the domain name to uppercase. It does not try to case-normalize the username.  For example,  Username@Domain becomes DOMAIN\Username.
  • username@domain.  The agent case-normalizes the user name to lowercase. It does not try to case-normalize the domain name.   An example is Username@Domain becomes Domain\username.
NotesThe RSA Authentication Manager server can be configured to use email addresses to identify users in an identity source, instead of using the default samAccountName. This would require an authentication request to be send in the form of user@domain, but the agent does not send in that format.
Authentication Manager can be configured to map a NTLM name (DOMAIN\username) to a UPN (user@domain) with NTLM mappings, to allow resolving the username.  See the article on how to authenticate to an RSA Authentication Agent for Windows as user@domain.com with NTLM to UPN name mapping for more information on NTLM to UPN name mapping.
 
Legacy Article IDa63354

Attachments

    Outcomes