RSA SecurID^® Access Discussions

SabiSwaminathan · ‎2020-09-11

Hi,

Can someone please help me with below situation,

We have a Citrix external gateway with RSA Secure ID as 2FA for user authentication and in our current Citrix external logon page users need to input Domain name + User name in user name field. i.e 'Domain\UserName'

We have configured and removed Domain name input from Citrix Netscaler level but RSA looks to be needing Domain name in username filed.

can someone please point out the steps to remove 'domain name' input needed while authentication - RSA Security Console.

DavidAllison · ‎2020-09-11

Try using RSAOMIT to remove the domain credentials; see this article for the how-to: https://community.rsa.com/docs/DOC-46034

EdwardDavis · ‎2020-09-11

a) How are users listed in RSA Security Console ?

short userid like joeuser, or UPN style like joeuser@domain.com ?

b) How are usernames arriving at the RSA server from the agent ?

-joeuser

-domain/joeuser

-joeuser@domain.com

c) NTLM name stripping or RSAOMIT can take an incoming name with domain

attached, and strip it down to remove the domain, or map it to UPN.

This is designed to allow RSA windows agents to send domain of a user to RSA Server in this format:
domain/userid

and map it to userid@domain.com, or with RSAOMIT, remove just the domain/ part and not map to anything.

-incoming domain/joeuser can be stripped to joeuser if that is how users are listed (RSAOMIT)

-incoming domain/joeuser can be mapped to UPN joeuser@domain.com

d) If the userid arrives as joeuser, but users are listed in Sec Console as joeuser@domain.com, it cannot

be mapped to add the @domain.com to joeuser.

At any rate the authentication activity log will show the format of the username as it arrives at the RSA

server, and we need to find a match in the list of users in the Security Console that either is identical, or

if not identical, if the NTLM mapping can make it match, that can be used.

SabiSwaminathan · ‎2020-09-11

Hi Edward and David - thanks for your reply,

we have user listed as userid@domain.com in security console
So I tried to adding RSAOMIT In the section for Domain Name Mapping, it did not work.
I tried removing the existing Domain mapping field names and that did not work, as per authentication logs this is what I get

Currently normal authentication works without changing Domain Name Mapping

Is there anything else I can try ?

EdwardDavis · ‎2020-09-14

Your incoming usernames must be joeuser@domain.com. If you are just sending the short name 'joeuser', RSA AM server doesn't have a way to add @domain.com to the user automatically.

options

You could set up login aliases for the users, and apply those to agents that are not sending the domain name across. So, set up an alias 'joeuser' for actual user joeuser@domain.com, and apply this to the citrix agent, and when the system sees joeuser try to authenticate from a specific agent it will check if this is an alias for real user joeuser@domain.com and authenticate.

or

you could list all users in the database by short name....if on an LDAP connection you can change the userid mapping from UPN to samaccount name, and all the users would switch to the short userid. But of course this may affect other things and not be possible or easy to do.

RSA SecurID^® Access Discussions

RSA Security Console - remove 'domain name' input needed while authentication

Authenticators

RSA SecurID® Access Discussions

RSA Security Console - remove 'domain name' input needed while authentication

Authenticators

RSA SecurID^® Access Discussions