000033600 - RSA Authentication Agent 7.2.1 for Windows cannot determine challenge group if the user submits fully qualified domain name.(yourdomain.local/login) along with the login name

Document created by RSA Customer Support Employee on Jul 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033600
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Windows
O/S Version: Server 2012 R2
 
Issue

RSA Authentication Agent for Windows cannot determine challenge group if the user submits fully qualified domain name.(your domain.local).



1. Send domain name option is not selected in Agent control center..
2. User types domain name/<login name> and domain name is dropped by the Agent and authentication works as expected. Non-challenge user works as expected.
3. If the user types domain name.com/<login name> at login prompt, a non- challenge user gets challenged. RSA Agent does not drop the domain name.com as expected.



However, if the "send domain name" option is selected the domain name.com is sent intact as expected.
Example: When jsmith logs into the workstation, they enter for the username, "2k8r2-vcloud.local\jsmith", and enter the AD password. 


Because the auth agent cannot determine the challenge setting for this user, it defaults to challenging the user. The end-result is the AM environment receives the authentication request from the Auth Agent, and an "authentication failed" event occurs.


*Here is the log entry on Authentication Activity monitor for it: 
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.163.2.187” in security domain “SystemDomain”.



Here is the log entry on Authentication Activity monitor for it: 
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.168.2.187” in security domain “SystemDomain”.



Here is an excerpt from the SIDAuthenticator(logonUI).log file: 


2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] wsGroupADsLDAPPath = LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] Return 
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The group ADsPath is LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Enter 
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = 2K8R2-VCLOUD.LOCAL\jsmith
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Caught HRESULT: Name translation: Could not find the name or insufficient right to see name.
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] wsUserADsLDAPPath = 
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Return 
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The user ADsPath is 
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Failed to get user path, throw E_FAIL 
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Caught HRESULT: (0x80004005)
CauseThis issue has been documented in defect AAWIN-2295.
ResolutionThis issue has been resolved in RSA Authentication Agent 7.2.1 build 122 for Windows and RSA Authentication Agent 7.3.1 build 37 for Windows. Contact RSA Technical Support to obtain most recent build of RSA Authentication Agent.

Attachments

    Outcomes