How to verify that RSA Authentication Agent for Windows can perform challenge user lookups across different Active Directory, AD Domains or Forests
Originally Published: 2020-11-12
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x, 7.4, 7.3.x
Platform: Windows
Platform (Other): Challenge group for users across 2 Domains
O/S Version: 10
Issue
This means that when user challenge is based on group membership (as opposed to challenge everyone), the user lookup involves a Get-ADPrincipalGroupMembership command, which might:
- Simply look in all sub-domains under a single AD Domain, or
- Need to lookup from one AD forest to another, different AD forest - in which case there would need to be a 'trust' relationship between forests, or this lookup will fail.
This Knowledge Base, KB article will demonstrate how to use Windows PowerShell Get-ADUser -Identity to verify that Windows agents can find an AD user in order to successfully challenge that user.
Symptoms that AD challenge User lookup failed
Windows Agent log file
===SIDAuthenticator(LogonUI).log===
ADsOpenObject failed.
[sidChallenge::checkCachedSettings] Cannot open challenge cache data key for user <UserID>
[ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = <Domain_NT4_name>\<UserID>
===SIDCredentialProvider(LogonUI).log===
[sidChallenge::checkCachedSettings] Caught error: 0x2
[sidChallenge::checkCachedSettings] userLocation = LOCATION_UNKNOWN
Tasks
- Procure a Windows platform that has Powershell.
- Ensure PowerShell includes the Active Directory Module.
- Test individual UserID lookups by SamAccountName or another identifying attribute, for example
Get-ADUser -Identity <UserID>
Details
- Procure a Windows platform that has Powershell
- Ensure PowerShell includes the Active Directory Module.
If the AD Module is not installed in PowerShell, you will get the CommandNotFoundException
Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
- Test individual UserID lookups by SamAccountName or another identifying attribute, e.g.
Get-ADUser -Identity <UserID>
Resolution
Get-ADUser -Identity <UserID>
Where <UserID> is a logon name or SamAccountName.
A Successful lookup returns information about the UserID.
Notice that you can optionally search a specific Domain Controller Server with the -server setting.
An unsuccessful lookup returns User Not found, ObjectNotFound.
If you cannot find a specific UserID or SamAccountName with Get-ADUser -Identity from the Windows Agent, check the Authentication Manager Security Console to see if this userID exists in AM. Search across all Identity Sources if necessary.
If you have demonstrated that a UserID is visible in AM, but you have been unsuccessful in finding the same UserID with Get-ADUser -Identity, You might need to try various PowerShell Get-AD* commands in order to find an exact match on SamAccountName, or to search for an entire Domain by all users in specific organizational unit ou.
Get-ADUser -Filter "SamAccountName -eq '<UserID>'"
Get-ADUser -server "<DomainControllerName>" -Identity <UserID>
Get-ADUser -Filter * -SearchBase 'OU=vcloud Users,DC=2k12-vcloud,DC=local'
- this last command gets all vcloud users from the ou – thousands!!!
You can check a found user's group memberships with the following commands
Get-ADPrincipalGroupMembership <SamAccountName>
Get-ADPrincipalGroupMembership <UserID> | select name
If you have multiple Domains and Forests, you might need to Get-ADUser -Identity for several different users from different Domains, Forests, or Authentication Manager Identity Sources.
Notes
