000023407 - Error message "Can not convert logon name: lab\\tstuser1 to UPN  error: 0" during IWA authentication in RSA  Access Manager

Document created by RSA Customer Support Employee on Sep 30, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000023407
Applies ToRSA Product Set: Access Manager 
RSA Product/Service Type: Web Agent IIS 4.7 
Platform: Microsoft Internet Information Services (IIS) 6.0, 5.0
IssueError during IWA authentication:

<Error>:Can not convert logon name: lab\\tstuser1 to UPN, error: 0
<Error>:Can not convert logon name: lab\\tstuser1 to UPN, error: 0
<Debug>:Constructed upn: (null)
<Warning>:Failed to obtain upn
CauseThe problem may be insufficient privileges in Active Directory to retrieve the UPN of the user.
ResolutionVerify that there is a 2 way trust between the domain the user is in and the domain the webserver is in. For this step the user domain must trust the webserver domain.
An alternative solution would be to perform the IWA authentication on an IIS webserver that is in the same domain as the user. This would be done by specifying a full url (hostname included) for the IWA authentication form in the webagent.conf. The server that does IWA authentication must also have the Access Manager agent installed.
If you have verified the 2 way trust and still have the problem, it could be the account that the application pool in IIS6 is running as does not have sufficient privileges to look up the upn of the user in the other domain. Try running the application pool as a privileged user such as an administrator account to see if this is the case. Then either modify the original account or create a new account to run the application pool as.
IIS5 has a requirement that the iisinfo process run as LocalSystem. If this account is unable to perform the upn check then it is a limitation of the webserver version. To get past this issue, point the url for IWA authentication to an IIS6 webserver.
NotesAccess Manager/ClearTrust needs to determine the user identity after the IWA authentication has been performed in IIS. To insure uniqueness, the userid is converted to a UPN format by obtaining the UPN from the Active Directory domain where the user exists, and then looking up the user in the Access Manager datastore by the UPN.
Legacy Article IDa35671