Authentication Failed for PAM Agent using SSH for Active Directory Users
Originally Published: 2023-04-05
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
O/S Version: RHEL
Issue
Cause
realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.com login-policy: allow-realm-logins
From /var/log/secure logs, user will be seen as an invalid user as shown for rsatest user
Mar 28 01:16:25 pam sshd[6769]: Invalid user rsatest from ::1 port 52404 Mar 28 01:16:25 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): check pass; user unknown Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 Mar 28 01:16:28 pam sshd[6769]: Postponed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:52 pam sshd[6769]: error: PAM: Authentication failure for illegal user rsatest from ::1 Mar 28 01:16:52 pam sshd[6769]: Failed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 Mar 28 01:16:52 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Resolution
the login-formats was %U@mydomain.local. modified it to %U, the authentication became successful.
- cd /etc/sssd
- vim sssd.conf
- Change the login format: use_fully_qualified_names = True to False.
- Restart sssd services > systemctl restart sssd.service
Related Articles
Is the PAM Agent supported with Redhat 6.2 Number of Views Failed to connect. Curl error code: 77 when using the RSA MFA Agent 9.0 for PAM via REST Protocol Number of Views SSH AFX test connector settings fails with 'Request timed out' and a 'Kerberos username' warning in RSA Identity Governanc… Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views Passcode accepted on ACE/Server activity monitor and login failed on Nortel Extranet Client. Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third …
Don't see what you're looking for?
