How to verify that RSA Authentication Agent for Windows can perform challenge user lookups across different Active Directory, AD Domains or Forests
RSA Product Set: RSA SecurID RSA Product/Service Type: Authentication Agent for Windows RSA Version/Condition: 7.4.x, 7.4, 7.3.x Platform: Windows Platform (Other): Challenge group for users across 2 Domains O/S Version: 10
The RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide (auth_agent_install_admin_guide.pdf), p. 23 under Create Groups of Users to Challenge with RSA SecurID, states "Confirm that groups that you create are recognized by Active Directory, [AD] as a group and can be queried. For detailed instructions on creating groups, see your Microsoft Windows documentation."
This means that when user challenge is based on group membership (as opposed to challenge everyone), the user lookup involves a Get-ADPrincipalGroupMembership command, which might:
Simply look in all sub-domains under a single AD Domain, or
Need to lookup from one AD forest to another, different AD forest - in which case there would need to be a 'trust' relationship between forests, or this lookup will fail.
This Knowledge Base, KB article will demonstrate how to use Windows PowerShell Get-ADUser -Identity to verify that Windows agents can find an AD user in order to successfully challenge that user.
Symptoms that AD challenge User lookup failed Windows Agent log file ===SIDAuthenticator(LogonUI).log=== ADsOpenObject failed. [sidChallenge::checkCachedSettings] Cannot open challenge cache data key for user <UserID> [ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = <Domain_NT4_name>\<UserID>
Ensure PowerShell includes the Active Directory Module.
Test individual UserID lookups by SamAccountName or another identifying attribute, for example Get-ADUser -Identity <UserID>
Procure a Windows platform that has Powershell Image description
Ensure PowerShell includes the Active Directory Module. Image description If the AD Module is not installed in PowerShell, you will get the CommandNotFoundException Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Test individual UserID lookups by SamAccountName or another identifying attribute, e.g. Get-ADUser -Identity <UserID>
Once you are satisfied that PowerShell is working and its Active Directory Module is installed, the basic command to lookup a UserID or SamAccountName is:
Get-ADUser -Identity <UserID> Where <UserID> is a logon name or SamAccountName.
A Successful lookup returns information about the UserID. Image description
Notice that you can optionally search a specific Domain Controller Server with the -server setting.
An unsuccessful lookup returns User Not found, ObjectNotFound.
Image description If you cannot find a specific UserID or SamAccountName with Get-ADUser -Identity from the Windows Agent, check the Authentication Manager Security Console to see if this userID exists in AM. Search across all Identity Sources if necessary.
If you have demonstrated that a UserID is visible in AM, but you have been unsuccessful in finding the same UserID with Get-ADUser -Identity, You might need to try various PowerShell Get-AD* commands in order to find an exact match on SamAccountName, or to search for an entire Domain by all users in specific organizational unit ou.
Get-ADUser -Filter "SamAccountName -eq '<UserID>'" Get-ADUser -server "<DomainControllerName>" -Identity <UserID> Get-ADUser -Filter * -SearchBase 'OU=vcloud Users,DC=2k12-vcloud,DC=local' - this last command gets all vcloud users from the ou – thousands!!!
You can check a found user's group memberships with the following commands Get-ADPrincipalGroupMembership <SamAccountName>
Get-ADPrincipalGroupMembership <UserID> | select name
If you have multiple Domains and Forests, you might need to Get-ADUser -Identity for several different users from different Domains, Forests, or Authentication Manager Identity Sources.
Ultimately you might need to bring in the Directory team to get an understanding of the entire structure, in order to search across all directories. Sometimes you will find it is simply easier and more secure, to challenge everyone and avoid the need to lookup across multiple forests.