Authentication Failed for PAM Agent using SSH for Active Directory Users
Originally Published: 2023-04-05
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
O/S Version: RHEL
Issue
Cause
realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.com login-policy: allow-realm-logins
From /var/log/secure logs, user will be seen as an invalid user as shown for rsatest user
Mar 28 01:16:25 pam sshd[6769]: Invalid user rsatest from ::1 port 52404 Mar 28 01:16:25 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): check pass; user unknown Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 Mar 28 01:16:28 pam sshd[6769]: Postponed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 [preauth] Mar 28 01:16:52 pam sshd[6769]: error: PAM: Authentication failure for illegal user rsatest from ::1 Mar 28 01:16:52 pam sshd[6769]: Failed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 Mar 28 01:16:52 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Resolution
the login-formats was %U@mydomain.local. modified it to %U, the authentication became successful.
- cd /etc/sssd
- vim sssd.conf
- Change the login format: use_fully_qualified_names = True to False.
- Restart sssd services > systemctl restart sssd.service
Related Articles
Passcode accepted on ACE/Server activity monitor and login failed on Nortel Extranet Client. Number of Views Duplicate users in RSA Identity Governance & Lifecycle Number of Views Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views SSH authentication failed for a challenged user with RSA Authentication Manager using REST protocol for RSA Authentication… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
