RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Windows
O/S Version: Server 2012 R2
RSA Authentication Agent for Windows cannot determine challenge group if the user submits fully qualified domain name.(your domain.local).
1. Send domain name option is not selected in Agent control center..
2. User types domain name/<login name> and domain name is dropped by the Agent and authentication works as expected. Non-challenge user works as expected.
3. If the user types domain name.com/<login name> at login prompt, a non- challenge user gets challenged. RSA Agent does not drop the domain name.com as expected.
However, if the "send domain name" option is selected the domain name.com is sent intact as expected.
Example: When jsmith logs into the workstation, they enter for the username, "2k8r2-vcloud.local\jsmith", and enter the AD password.
Because the auth agent cannot determine the challenge setting for this user, it defaults to challenging the user. The end-result is the AM environment receives the authentication request from the Auth Agent, and an "authentication failed" event occurs.
*Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.163.2.187” in security domain “SystemDomain”.
Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.168.2.187” in security domain “SystemDomain”.
Here is an excerpt from the SIDAuthenticator(logonUI).log file:
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] wsGroupADsLDAPPath = LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] Return 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The group ADsPath is LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Enter 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = 2K8R2-VCLOUD.LOCAL\jsmith 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Caught HRESULT: Name translation: Could not find the name or insufficient right to see name. 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] wsUserADsLDAPPath = 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Return 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The user ADsPath is 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Failed to get user path, throw E_FAIL 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Caught HRESULT: (0x80004005)
Related Articles
Users cannot authenticate with login name in domain\sAMAccountName format using MFA Agent 2.0.1 Number of Views How to authenticate to an RSA Authentication Agent for Windows as user@domain.com with NTLM to UPN name mapping Number of Views RSA Authentication Agent for Microsoft Windows: Domain users are not challenged when "Domain Users" group is nested in loc… Number of Views Send both user name and domain name to the server during an RSA Authentication Agent for Windows authentication request Number of Views RSA Identity Governance & Lifecycle collector throws "Login failed. The login is from an untrusted domain and cannot be us… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
