000016383 - How to authenticate to an RSA Authentication Agent for Windows as user@domain.com with NTLM to UPN name mapping

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support on Oct 24, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000016383
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent for Windows
RSA Version/Condition:  7.x, 8.x
IssueAll users are listed as username@company.com, but the RSA administrator cannot make thousands of aliases to support agent login.

Is there any way to have the company.com\name automatically recognized by RSA as name@company.com without making an alias?

  • All users in the RSA Authentication Manager database are listed as username@company.com.  The authentication agent sends either the username only, or company.com/username and no one authenticates.
  • Authentication activity monitor reports userid or alias not found.
  • Administrators cannot use aliases.

On the Windows machine hosting the RSA Authentication Agent the Send Domain Name option is checked.


  1. Login to the Security Console on the primary Authentication Manager server.
  2. Select Setup > System Settings.  
  3. Under Authentication settings click Agents.
  4. Scroll to the bottom of the page for the section on Domain Name Mapping.
  5. Fill out the NTLM box with company.com and UPN box with company.com.  

For long domains such as domain1.domain2.company.com, you may only need to put domain1 in the NTLM box and not domain1.domain2.

  1. Click Save.
  2. Now test authentication with the real time authentication activity monitor open.  The Authentication Manager server will translate the incoming authentications at the agent and the user is able to authenticate with the user ID of name@company.com and passcode.  The Authentication Manager server receives company.com/name which doesn't actually exist and it automatically translates to name@company.com and authenticates.

If authentications do not work and login failures appear, watch the real-time authentication activity log.  It should clearly show the translated names and indicate if there is something missing or added to the name and you can adjust the settings you chose above and try again until it matches your environment.

Legacy Article IDa52555