RSA Product Set: SecurID
RSA Product/Service Type: RSA MFA Agent for Microsoft Windows
Version(s): All supported versions 

In certain environments where machines are in a WORKGROUP environment "not joined to a domain", users may receive unexpected MFA challenges, even though when they are not part of the challenge group. 

• The MFA Agent determines challenge eligibility based on the username and domain provided by Windows.
• When a local user logs in using only the username (e.g., username), Windows assigns the domain as WORKGROUP.
• Because WORKGROUP can also represent a valid domain in some environments, the agent cannot confidently classify the user as local.

As a result of this behavior:

• The agent treats the user as domain-based and attempts an LDAP lookup to validate identity. The LDAP lookup fails, confirming the user is local,

  • [Local: 2025-10-03 12:49:16.881] 2025-10-03 16:49:16.881 10032.1 [V] [RSA.Authentication.WindowsSecurity.PasswordValidator.AuthenticateUser] Enter
    [Local: 2025-10-03 12:49:17.099] 2025-10-03 16:49:17.099 10032.1 [E] [RSA.Authentication.WindowsSecurity.PasswordValidator.AuthenticateUser] Caught exception: System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
       --- End of inner exception stack trace ---
       at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
       at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
       at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)
       at RSA.Authentication.WindowsSecurity.PasswordValidator.AuthenticateUser(String username, String password, String domain, Int32& errorcode)
    [Local: 2025-10-03 12:49:17.099] 2025-10-03 16:49:17.099 10032.1 [I] [RSA.Authentication.WindowsSecurity.PasswordValidator.AuthenticateUser] Calling LogonUser() for username = username; domain = WORKGROUP
    [Local: 2025-10-03 12:49:17.193] 2025-10-03 16:49:17.193 10032.1 [I] [RSA.Authentication.WindowsSecurity.PasswordValidator.AuthenticateUser] LogonUser() succeeded
     
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] Enter
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] Domain: WORKGROUP
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] _sid is empty
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] Attempting retrieval
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [UserIdentityCache.LookupUserSidByNtAccountName] Enter
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [UserIdentityCache.LookupUserSidByNtAccountName] Looking up: WORKGROUP\username
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [W] [UserIdentityCache.LookupUserSidByNtAccountName] Lookup failed
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [UserIdentityCache.LookupUserSidByNtAccountName] Return
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [V] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] NTAccount = WORKGROUP\srvauser
    [Local: 2025-10-03 13:28:15.432] 2025-10-03 17:28:15.432 6544.1 [E] [RSA.Authentication.Mfa.UserIdentityLocalAD.Sid] Caught exception: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
       at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
       at System.Security.Principal.NTAccount.Translate(Type targetType)
       at RSA.Authentication.Mfa.UserIdentityLocalAD.get_Sid()
    

• The failed lookup triggers an MFA challenge, even though the local user is not in the challenge group.

• Enable the "Cache Challenge Settings" Policy This state enables the Agent to use the local cache to determine group membership if the domain controller is unavailable. 

• Define the Behavior When No Cached Setting Exists:

  • If a cached policy exists, the Agent will use it to determine whether to challenge the user.
  • If no cached policy is found, configure the setting to: Do not challenge user this will not require RSA credentials, but instead allow Windows password when group membership cannot be determined.
• Reboot the machine if needed.

As an alternative, you can Use the GPOs to change default logon domain name in the logon screen, please refer to the following Microsoft KB, Use GPOs to change default logon domain name - Windows Server | Microsoft Learn 

As a workaround you can log in using either .\username or ComputerName\username. This prevents Windows from assigning the ambiguous WORKGROUP, which may trigger an unnecessary MFA challenge.