RSA Authentication Agent 1.0.1 for Active Directory Federation Services (AD FS) sends domain\samAccountName instead of UPN to Authentication Manager
Originally Published: 2017-04-28
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS)
RSA Version/Condition: 1.0.1
Issue
- At the AD FS front end web page the customer enters their UPN such as jon.smith@company.com in the User Name field, along with their password.
- But ADFS prompts for a passcode with samAccountName, prefixed with the domain; for example, company\jon.smith instead.
- Since the user ID is in UPN format in Authentication Manager, the Domain\samAccountname format of the same user is not found, so logon fails with failure to resolve User ID or Alias.
Cause
The SecurIDAuthProvider(MicrosoftIdentityServer...).log for the AD FS agent will show the claim type, in this case windowsaccountname, when it should be UPN.
Resolution
- The ADFSUnregisterationSample PowerShell script should be in C:\Program Files\RSA\RSA Authentication Agent\AD FS Adapter\SampleRegistrationScripts.
- In PowerShell change directory to the ..\AD FS Adapter\SampleRegistrationScripts directory and run the ADFSUnregistrationSample.ps1 (or your customized) PowerShell script
- Follow this by running the ADFSRegistrationSample.ps1 (or your customized) PowerShell script
- If AD FS is running in a farm of AD FS servers, the (un)registration commands are run on any server, but then the AD FS service needs to be restarted ON EACH SERVER afterwards.
Be sure to close IE to clear the browser cache before trying after this fix.
- The SecurIDAuthProvider(MicrosoftIdentityServer...).log for the AD FS agent should now show the claim type to be UPN:
Workaround
Notes
