The RSA servers only add a new layer to the authentication sequence. and the Trusts on an RSA server
do not co-mingle with any AD trusts or rules you may have for the user accounts inside AD.
RSA server trust: can a remote user log into my agents ? Can I look up unknown usernames in
a different RSA server database.
AD trusts. A separate mechanism not tied to they way RSA trusts are set up.
RSA servers themselves only care about: userid being found and the passcode.
RSA Securid doesn't really handle anything further AD or LDAP related, except to
1) initially populate the RSA server with a list of userids so you can assign tokens to them,
and
2) then be able to look up an incoming authentication request and check the userid to see if it is in it's
own list, or a remote Trusted realm list.
-----------------------------------------------------------------------------------------------
a new incoming auth request from an RSA server agent...
a) userid looked up in it's own database,
or if not found in it's own database, go ask a Trusted RSA realm if the userid is found.
b) Then once userid is found, validate the passcode (which is the pin+token)
If this is one-way RSA trust B trusts A, users from A can login to B's agents, but B users cannot
login to A's agents. And here when I say 'login' I mean only the userid and passcode
is validated, I don't mean that once validated, that any secondary layer of AD auth trust will work.
Any further 'trust' in AD is separate and based on different rules set up on the non-RSA systems.
Once the RSA token processing is done, RSA is out of the picture. If next there is another layer of auth or
something to do with a users AD credentials, or AD trusts, it is up to the agent device that they just entered the
userid and passcode to figure out the AD authentication part. So, if you removed RSA from the
setup, the AD auth and trust would work the same as it would with RSA trusted realm added. Your
token login piece just might get denied if the RSA trust is set up in the wrong direction.
