Authentication Failed for PAM Agent using SSH for Active Directory Users
Originally Published: 2023-04-05
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
O/S Version: RHEL
Issue
Cause
realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.com login-policy: allow-realm-logins
From /var/log/secure logs, user will be seen as an invalid user as shown for rsatest user
Mar 28 01:16:25 pam sshd[6769]: Invalid user rsatest from ::1 port 52404 Mar 28 01:16:25 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): check pass; user unknown Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 Mar 28 01:16:28 pam sshd[6769]: Postponed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:52 pam sshd[6769]: error: PAM: Authentication failure for illegal user rsatest from ::1 Mar 28 01:16:52 pam sshd[6769]: Failed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 Mar 28 01:16:52 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Resolution
the login-formats was %U@mydomain.local. modified it to %U, the authentication became successful.
- cd /etc/sssd
- vim sssd.conf
- Change the login format: use_fully_qualified_names = True to False.
- Restart sssd services > systemctl restart sssd.service
Related Articles
When Active Directory is integrated using Winbind, group membership for Active Directory users fails with the RSA Authenti… Number of Views Tips for restoring a Database to a different Server in RSA Identity Governance & Lifecycle Number of Views Unable to authenticate with Authentication Agent for PAM for SSH due to SELinux Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views Configure a Timeout Setting for Authentication Requests Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
