000021315 - RSA SecurID Passage 3.5.1 unable to update roaming profile for Active Directory Domain User

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021315
Applies ToRSA SecurID Passage 3.5.1
Microsoft Windows XP
Microsoft Windows 2000
IssueRSA SecurID Passage 3.5.1 unable to update roaming profile for Active Directory Domain User
Using Passage Logon, a User can successfully log in to the Windows 2000 domain. However, after logging off, the Roaming Profile for the user has not been updated. Also, if this is a new User, the roaming profile directory on the shared resource (as configured for the User through Active Directory) has not been created.
CauseThis is a configuration issue with the Active Directory Server. We use the function call NetUSerGetInfo to retrieve the user profile information. When tracing is enabled, this function returns the error "ERROR_ACCESS_DENIED". This implies either the ACL's in the Active Directory Server have been changed from their default setting, anonymous access has been limited or stopped in some way, or Users are created with limited rights or group associations required for this function call.
ResolutionPlease visit this Microsoft Web page which gives additional information about this particular issue. There are a number of resolutions that can be deployed depending on your Active Directory security policies. However, to verify the issue is not related to RSA SecurID Passage, use the following registry entry on the Active Directory Domain Controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=1
Legacy Article IDa22320

Attachments

    Outcomes