000025341 - Modified group name in Microsoft Active Directory - now users are unable to authenticate  and all users are SecurID challenged

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025341
Applies ToRSA Authentication Manager 6.0
Microsoft Windows Server 2003 SP1
Microsoft Windows Domain Authentication
Sub-Auth Protection (same as Network Access Protection)
Microsoft Windows 2000 Domain Controller
Microsoft Active Directory
Domain Authentication Host (DAH)
Domain Access Client 6.0
IssueModified group name in Microsoft Active Directory - now users are unable to authenticate, and all users are SecurID challenged
CauseRSA SecurID is operating as designed on a security principle; any user when authenticating who cannot be verified as required to SecurID authenticate or who cannot be verified as exempt from SecurID authentication will be SecurID challenged.

1. RSA SecurID for Windows was configured to challenge user in group { RSA-Challenge} ;

2. This worked originally because:

 

a.       User jdoe was member of this group {RSA-Challenge}, when he logged in he was seen as a SecurID challenged user and was challenged

b.       When user admin1 was attempting to auth the agent found that admin1 was not a member of the {RSA-Challenge}

3. This failed when the domain Challenge group name was changed; from {RSA-Challenge} to {RSASecured}:

a.       User jdoe, member of newly renamed {RSASecured} group, when he logged in the challenge group {RSA-Challenge} was not found so user was challenged

b.       When user admin1 was attempting to auth the agent could not find {RSA-Challenge} so it could not verify that the user should not be challenged, the user in this case is challenged. However as admin1 was not setup to SecurID authenticate, admin1 was not able to authenticate and was denied access.

 

The functionality of the SecurID security product is to always challenge users unless able to specifically verify that the user should not be challenged, e.g.:

  1. User will be challenged when:
    1. User is in the challenge group
    2. User is not in the DAH configured exclude group
    3. Cannot be found
  2. User will not be challenged when:
    1. User is found in the exclude group
    2. The challenge group specified in the DAH config is found and user authenticating is not found within
Resolution

What would work:

 

  1. DAH is currently set to challenge all users in a group { RSA-Challenge}
  2. Change the group name from {RSA-Challenge} to {RSASecured} in AD
  3. DAH change the domain auth config to challenge the group {RSASecured} on all DCs
  4. Restart all DCs only authenticating users found in that group will be challenged

Or

  1. DAH is currently set to challenge all users in a group {RSA-Challenge}
  2. SecurID challenge disabled in the DAH domain auth config on all Domain Controllers
  3. Restart all users are no longer challenged
  4. Create / rename new challenge group {RSASecured} and enable DAH domain auth config to challenge that group on all DCs
  5. Restart only authenticating users found in that group will be challenged

      Or

 

  1. DAH is currently set to challenge all users in a group {RSA-Challenge}
  2. Change the DAH domain auth config to challenge all users except those in this group {Administrators}
  3. Restart DAH
  4. Change the DAH domain auth config to challenge users in a group {RSASecured} Restart DCs

 

The above methods ensure continuity of the Domain admins' ability to authenticate during the changeover.

NOTE: If locked out of your domain controller due to the above issue call RSA Customer Support for assistance

WorkaroundModified RSA SecurID Challenged group name in Active Directory, was RSA-Challenge changed to RSASecured > now users are unable to logon to the domain
Legacy Article IDa29298

Attachments

    Outcomes