This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RSA Authentication Agent 1.0.1 for Active Directory Federation Services (AD FS) sends domain\samAccountName instead of UPN to Authentication Manager

Article Number

000035109

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS) 
RSA Version/Condition: 1.0.1
 

Issue

  1. At the AD FS front end web page the customer enters their UPN such as jon.smith@company.com in the User Name field, along with their password.  
Image descriptionImage description
  1. But ADFS prompts for a passcode with samAccountName, prefixed with the domain; for example, company\jon.smith instead.
 
Image descriptionImage description
  1. Since the user ID is in UPN format in Authentication Manager, the Domain\samAccountname format of the same user is not found, so logon fails with failure to resolve User ID or Alias.

Cause

Since Microsoft AD FS owns the format of the username displayed (that is, <domain>\jon.smith, the Authentication Agent for AD FS needs to alter the AD FS behavior through a GPO. However, this GPO must be in place before the agent is registered with both AD FS and with Authentication  Manager.

The SecurIDAuthProvider(MicrosoftIdentityServer...).log for the AD FS agent will show the claim type, in this case windowsaccountname, when it should be UPN.
 
Image descriptionImage description

Resolution

In this situation you will need to unregister the agent with AD FS, then reregister it after the GPO is in place.
  1. The ADFSUnregisterationSample PowerShell script should be in  C:\Program Files\RSA\RSA Authentication Agent\AD FS Adapter\SampleRegistrationScripts.
Image descriptionImage description
  1. In PowerShell change directory to the  ..\AD FS Adapter\SampleRegistrationScripts directory and run the ADFSUnregistrationSample.ps1 (or your customized) PowerShell script
Image descriptionImage description
  1. Follow this by running the ADFSRegistrationSample.ps1 (or your customized) PowerShell script
  2. If AD FS is running in a farm of AD FS servers, the (un)registration commands are run on any server, but then the AD FS service needs to be restarted ON EACH SERVER afterwards.

Be sure to close IE to clear the browser cache before trying after this fix.

  1. The SecurIDAuthProvider(MicrosoftIdentityServer...).log for the AD FS agent should now show the claim type to be UPN:
Image descriptionImage description

Workaround

A workaround would be to use an alias for the samAccountName in Authentication Manager for the UPN user name.

Notes

Also, the display will not change.  The value of company\jon.smith will still show, but the Authentication Manager logs, including the Authentication Activity Monitor, will show the UPN jon.smith@company.com.
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 04:17 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.