000025348 - How to use CN to authenticate users with Active Directory Datastore

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025348
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
Microsoft Windows 2000 Server SP3
Microsoft Active Directory
Customer does want to use either SamAccountName or UserPrincipalName
Customer uses Active Directory for all user administration, and they don't use NT authentication
IssueHow to use CN to authenticate users with Active Directory Datastore
CauseThe above are Microsoft Active Directory limitations for SamAccountName and UserPrincipalName
ResolutionCN can be used between ClearTrust server and Active Directory mapping. This can be done by changing the parameter in ldap.conf:

        cleartrust.data.ldap.user.attributemap.name: CN. (by default, this parameter is set as sAMAcountName)

Contact RSA Security Customer Support to request RSA ClearTrust hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). This hot fix suggests to use UserPrincipalName for the above parameter. This will overcome the restriction imposed by sAMAcountName as the max length of 20 characters. However, by using UserPrincipalName, the authentication would need to use a FQDN.

Using CN as the authentication name works well, except that when you create a user in Entitlement manager, the user cannot be managed in Active Directory (does not show up in the Active Directory at all). Also, the NT authentication uses different user attributes (UserPrincipalName or sAMAcountName) rather then CN.

NOTE: If using CN with Active Directory, users should be administered using the Microsoft MMC management tools and not the ClearTrust Admin GUI.
WorkaroundThe sAMAcountName is only 20 characters long and the UserPrincipalName requires the FQDN - an additional @xxxxx.com (or net, etc.) to work properly
Legacy Article IDa18114