RSA Security Console - remove 'domain name' input needed while authentication
Can someone please help me with below situation,
We have a Citrix external gateway with RSA Secure ID as 2FA for user authentication and in our current Citrix external logon page users need to input Domain name + User name in user name field. i.e 'Domain\UserName'
We have configured and removed Domain name input from Citrix Netscaler level but RSA looks to be needing Domain name in username filed.
can someone please point out the steps to remove 'domain name' input needed while authentication - RSA Security Console.
- Community Thread
- Forum Thread
- remove domain name
- RSA SecurID
- RSA SecurID Access
- rsa security console
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
a) How are users listed in RSA Security Console ?
short userid like joeuser, or UPN style like firstname.lastname@example.org ?
b) How are usernames arriving at the RSA server from the agent ?
c) NTLM name stripping or RSAOMIT can take an incoming name with domain
attached, and strip it down to remove the domain, or map it to UPN.
This is designed to allow RSA windows agents to send domain of a user to RSA Server in this format:
and map it to email@example.com, or with RSAOMIT, remove just the domain/ part and not map to anything.
-incoming domain/joeuser can be stripped to joeuser if that is how users are listed (RSAOMIT)
-incoming domain/joeuser can be mapped to UPN firstname.lastname@example.org
d) If the userid arrives as joeuser, but users are listed in Sec Console as email@example.com, it cannot
be mapped to add the @domain.com to joeuser.
At any rate the authentication activity log will show the format of the username as it arrives at the RSA
server, and we need to find a match in the list of users in the Security Console that either is identical, or
if not identical, if the NTLM mapping can make it match, that can be used.
Hi Edward and David - thanks for your reply,
- we have user listed as firstname.lastname@example.org in security console
- So I tried to adding RSAOMIT In the section for
- I tried removing the existing Domain mapping field names and that did not work, as per authentication logs this is what I get
Currently normal authentication works without changing
Is there anything else I can try ?
Your incoming usernames must be email@example.com. If you are just sending the short name 'joeuser', RSA AM server doesn't have a way to add @domain.com to the user automatically.
You could set up login aliases for the users, and apply those to agents that are not sending the domain name across. So, set up an alias 'joeuser' for actual user firstname.lastname@example.org, and apply this to the citrix agent, and when the system sees joeuser try to authenticate from a specific agent it will check if this is an alias for real user email@example.com and authenticate.
you could list all users in the database by short name....if on an LDAP connection you can change the userid mapping from UPN to samaccount name, and all the users would switch to the short userid. But of course this may affect other things and not be possible or easy to do.