000016383 - How to authenticate to an RSA Authentication Agent for Windows as user@domain.com with NTLM to UPN name mapping

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on May 27, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000016383
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent for Windows
RSA Version/Condition:  7.1
IssueAll users are listed as username@company.com, but the RSA administrator cannot make thousands of aliases to support agent login.

Is there any way to have the company.com\name automatically recognized by RSA as name@company.com without making an alias?


  • All users in the Authentication Manager database are listed as username@company.com.  The RSA Agent sends either the username only, or company.com/username and no one authenticates
  • Authentication activity monitor reports userid or alias not found.
  • RSA admins cannot use aliases.
Resolution

On the RSA authentication agent


  1. On the Windows RSA Authentication Agent for Windows, Send Domain Name is checked.

Authentication Manager 7.1


  1. On the RSA Authentication Manager server in the Security Console, select Setup > Component Config Authentication Manager Basic Settings.
  2. At the bottom of the form, fill out the NTLM box with company.com and UPN box with company.com.  Note: for long domains such as domain1.domain2.company.com, you may only need to put domain1 in the NTLM box and not domain1.domain2).
  3. Click Save.

Authentication Manager 8.1


  1. On the RSA Authentication Manager server in the Security Console, select Setup > System Settings.  Under Authentication settings click Agents.
  2. Scroll to the bottom of the page for the section on Domain Name Mapping.
  3. Fill out the NTLM box with company.com and UPN box with company.com.  Note: for long domains such as domain1.domain2.company.com, you may only need to put domain1 in the NTLM box and not domain1.domain2).
  4. Click Save.

Now test authentication.  It will now translate the incoming authentications at the agent and the user  is able to authenticate with the user ID of name@company.com and passcode.  The Authentication Manager server receives "company.com/name" which doesn't actually exist and it automatically translates to name@company.com and authenticates.


If authentications do not work and login failures appear, watch the real-time authentication activity log, it should clearly show the translated names and indicate if there is something missing or added to the name and you can adjust the settings you chose in (a) and try again until it matches your environment.

Legacy Article IDa52555

Attachments

    Outcomes