Windows Agent failing to authenticate local Group Membership with 30 Secs timeout
Originally Published: 2021-05-20
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x
Platform: Windows
Platform (Other): Challenge a local group of Domain Admin (AD users)
O/S Version: 10
Issue
- Authentication on Windows Agent, when RDP on a Windows machine, is taking more than 30 Seconds then it times out.
- Challenge settings are made through GPO ( Challenge Users In .\Administrators )
- Local Administrators Group contains (EXAMPLE\Domain Admins) which means that the local group has an Active directory Group inside it ( mapped to it )
- Windows Agent logs are showing the below:
SIDAuthenticator(RSANotificationIcon).log
Got interface to nested domain group, calling isUserMemberOfGroup() to check the group.
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getGroupDnLDAPPath] Enter
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:56:17.717 6392.3976 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:56:17.733 6392.3976 [E] [ADSIHelper::getGroupDnLDAPPath] Failed to set NT4 Name = NT AUTHORITY\INTERACTIVE
2021-05-18 18:56:17.733 6392.3976 [W] [ADSIHelper::getGroupDnLDAPPath] ERROR_DS_NAME_ERROR_NOT_FOUND: Name Translation: Could not find the name or insufficient right to see name
2021-05-18 18:56:17.733 6392.3976 [I] [ADSIHelper::getGroupDnLDAPPath] Returning:
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getGroupDnLDAPPath] Return
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUserADsLDAPPath] Enter
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:56:17.733 6392.3976 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::getUserADsLDAPPath] Returning: LDAP://CN=A-NMA,CN=Users,DC=korry,DC=com
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::getUserADsLDAPPath] Return
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::isUserMemberOfGroup] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::openLdapADsObject<IDirectorySearch>] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::getAdsiBindingFlags] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [RsaDesktopConfig::RsaDesktopConfig] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [RsaDesktopConfig::RsaDesktopConfig] Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::isUserMemberOfGroup] Returning: false bInGroup: false Group: User: LDAP://CN=A-NMA,CN=Users,DC=korry,DC=com
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::isUserMemberOfGroup] Return
2021-05-18 18:56:17.749 6392.3976 [W] [ADSIHelper::recursiveIsUserInGroup] isUserMemberOfGroup() call returned false, indicating an error during processing, so breaking out of loop
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::recursiveIsUserInGroup] bReturning false, bUnresolvedSIDFound = false, bInGroup = false
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::CheckDomainUserInLocalGroup] Return
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::~ADSIHelper] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::~ADSIHelper] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::queryAdsiForUserLocation] Returning: userLocation = LOCATION_UNKNOWN
2021-05-18 18:56:17.749 6392.3976 [V] [sidChallenge::queryAdsiForUserLocation] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroup] Returning: userLocation = LOCATION_UNKNOWN
2021-05-18 18:56:17.749 6392.3976 [V] [sidChallenge::checkUserInGroup] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] Indeterminate result for challenge group: .\Users
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] The user was not found, but the search was indeterminate
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] Returning: userLocation = LOCATION_UNKNOWN
SIDAuthenticator(LogonUI).log
2021-05-18 18:40:16.174 3380.5508 [I] [ADSIHelper::recursiveIsUserInGroup] Got interface to nested domain group, calling isUserMemberOfGroup() to check the group.
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getGroupDnLDAPPath] Enter
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:40:16.174 3380.5508 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:40:16.190 3380.5508 [E] [ADSIHelper::getGroupDnLDAPPath] Failed to set NT4 Name = NT AUTHORITY\INTERACTIVE
2021-05-18 18:40:16.190 3380.5508 [W] [ADSIHelper::getGroupDnLDAPPath] ERROR_DS_NAME_ERROR_NOT_FOUND: Name Translation: Could not find the name or insufficient right to see name
2021-05-18 18:40:16.190 3380.5508 [I] [ADSIHelper::getGroupDnLDAPPath] Returning:
Cause
While the challenge settings configured to challenge Local Group Users Only, despite the fact that EXAMPLE\Domain Admins Groups is added in the Local Group users on the machine.
Resolution
- You either challenge a Local group of users ( It has to be a user Group added Locally only ) or an AD User Group.
- So either .\<Local group> or <Domain>\<Domain Group>
- Adding an AD User Group to the local Group on the windows machine through the Computer Management > Local Users and Groups will force the authentication to Fail after entering an Endless LOOP to find the user.
Notes
like the ones below:
| Comma | , |
| Backslash & Forward character | \ / |
| Pound sign (hash sign) | # |
| Plus sign | + |
| Less than symbol | < |
| Greater than symbol | > |
| Semicolon | ; |
| Double quote (quotation mark) | " |
| Equal sign | = |
| Leading or trailing spaces |
ADSI is an Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).
Related Articles
Error during migration: Error: Failed to massage migrated data org.postgresql.util.PSQLException: ERROR: update or delete… Number of Views RSA Authentication Manager 8.1 SP 1 patch 1 backups to a Windows Shared Folder are failing after software upgrade Number of Views RSA Identity Governance and Lifecycle RESTful web service response: java.lang.IllegalStateException Number of Views Failed to validate remote location error when configuring backups to Windows Shared Folder in RSA Authentication Manager 8.x Number of Views Manually applying the definition files to ClamAV for RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
