AnsweredAssumed Answered

Product or Component required for AD/LDAP Auth with SecurID

Question asked by Kenneth Kirchner on Jan 3, 2017
Latest reply on Jan 4, 2017 by Edward Davis

Like • Show 0 Likes0
Comment • 5

We have an RSA Authentication Manager server and a few hundred tokens. We are using this as a 2F back-end for Cisco Secure ACS and for Linux authentication (with the PAM module). If we wanted to use tokens with our Windows 2012 Active Directory servers, what additional components or products would we need? We want to be able to use AD accounts, but use the Token Code instead of the password. This would also not be required for all accounts, since we have a 2F PKI solution in place for system logins, but for applications that support AD/LDAP and not PKI, using the RSA SecuID Token seems like the best option to get these apps behind 2F.

Jay Guillette

Jan 3, 2017 2:43 PM

Correct Answer

The RSA Authentication agent for Windows can be installed on Win2012 R2, and you can Challenge (require PassCode 2-factor)

1. everyone,

2. everyone in a specific group

3. everyone NOT in a specific group

4. No one

However, with Windows you always have to logon with a Windows password even after authenticating with PassCode. But you can configure Windows Password Integration, and the RSA AM agent will tell the RSA AM server the MD5 hash of your Windows Password the first time you do this, and the subsequent times after that RSA will automatically log you on to Windows after you enter your PassCode successfully (until password expires, you change Windows Password, and RSA learns the new MD5 hash of the WinPassword...repeat)

See the reply in context

No one else had this question

Outcomes

Jay Guillette

Jan 3, 2017 2:43 PM

The RSA Authentication agent for Windows can be installed on Win2012 R2, and you can Challenge (require PassCode 2-factor)

1. everyone,

2. everyone in a specific group

3. everyone NOT in a specific group

4. No one

1 person found this helpful

Actions

Jay Guillette

Jan 3, 2017 2:46 PM

To add, the UserID for RSA needs to match the UserID for Windows, so you either create this manually in the RSA AM internal database, or you configure RSA to use an external LDAP Identity Source like AD in the Operations Console

Attachments

CSTM_AM_external_IdentitySourceNoAudio.ppt4.5 MB

1 person found this helpful

Actions

Kenneth Kirchner Jan 3, 2017 3:14 PM

Thanks for the response, Jay. What I am looking for is not the Windows login. It is the authentication of the AD account. I am probably explaining this horribly, so let me give an example.

We have a linux application that supports authentication of users from an AD or LDAP source. If I point this app at AD, users can log in to the app with their Windows username and password. This is obviously not 2F. Is there some way I can have the Domain Controller or LDAP server query the RSA Authentication Manager for a passcode associated with the users account instead of using the internal AD/LDAP password?

Actions

Jay Guillette

@ Kenneth Kirchner on Jan 4, 2017 11:05 AM

I think the external LDAP Identity source in Authentication Manager is what you want. The AD accounts are what you use to logon, but in an RSA Challenged Setting you must enter your passcode as your password is not enough. It is the same AD userID in both Auth Manager and Linux or whereever

Actions

Edward Davis

@ Kenneth Kirchner on Jan 4, 2017 11:27 AM

Hello,

No this cannot be done as you describe. You need your app to be able to send

the username/password to the RSA server, which we will look up in the internal database or

on an AD connection. If that username has a token assigned, and what we

see in the password field was the correct passcode [pin+tokencode] then

we will accept that and sent the 'authentication succeeded' back to the source.

RSA server only looks at AD for the username and whether account is disabled

or locked out.

On your linux machine, it needs the ability to send the username/password info to an RSA server, either

using native securid protocol, or radius protocol.

Actions

5 Replies

Jay Guillette Jan 3, 2017 2:43 PM
Unmark Correct
Correct Answer
The RSA Authentication agent for Windows can be installed on Win2012 R2, and you can Challenge (require PassCode 2-factor)
1. everyone,
2. everyone in a specific group
3. everyone NOT in a specific group
4. No one

However, with Windows you always have to logon with a Windows password even after authenticating with PassCode. But you can configure Windows Password Integration, and the RSA AM agent will tell the RSA AM server the MD5 hash of your Windows Password the first time you do this, and the subsequent times after that RSA will automatically log you on to Windows after you enter your PassCode successfully (until password expires, you change Windows Password, and RSA learns the new MD5 hash of the WinPassword...repeat)
1 person found this helpful
Like • Show 1 Like1
Actions
Jay Guillette Jan 3, 2017 2:46 PM
Mark Correct
Correct Answer
To add, the UserID for RSA needs to match the UserID for Windows, so you either create this manually in the RSA AM internal database, or you configure RSA to use an external LDAP Identity Source like AD in the Operations Console
Attachments
- CSTM_AM_external_IdentitySourceNoAudio.ppt4.5 MB
1 person found this helpful
Like • Show 1 Like1
Actions
Kenneth Kirchner Jan 3, 2017 3:14 PM
Mark Correct
Correct Answer
Thanks for the response, Jay. What I am looking for is not the Windows login. It is the authentication of the AD account. I am probably explaining this horribly, so let me give an example.

We have a linux application that supports authentication of users from an AD or LDAP source. If I point this app at AD, users can log in to the app with their Windows username and password. This is obviously not 2F. Is there some way I can have the Domain Controller or LDAP server query the RSA Authentication Manager for a passcode associated with the users account instead of using the internal AD/LDAP password?
Like • Show 0 Likes0
Actions
- Jay Guillette @ Kenneth Kirchner on Jan 4, 2017 11:05 AM
  Mark Correct
  Correct Answer
  I think the external LDAP Identity source in Authentication Manager is what you want. The AD accounts are what you use to logon, but in an RSA Challenged Setting you must enter your passcode as your password is not enough. It is the same AD userID in both Auth Manager and Linux or whereever
  Like • Show 0 Likes0
  Actions
- Edward Davis @ Kenneth Kirchner on Jan 4, 2017 11:27 AM
  Mark Correct
  Correct Answer
  Hello,
  
  No this cannot be done as you describe. You need your app to be able to send
  the username/password to the RSA server, which we will look up in the internal database or
  on an AD connection. If that username has a token assigned, and what we
  see in the password field was the correct passcode [pin+tokencode] then
  we will accept that and sent the 'authentication succeeded' back to the source.
  
  RSA server only looks at AD for the username and whether account is disabled
  or locked out.
  
  On your linux machine, it needs the ability to send the username/password info to an RSA server, either
  using native securid protocol, or radius protocol.
  Like • Show 0 Likes0
  Actions

Product or Component required for AD/LDAP Auth with SecurID

Outcomes

Attachments

Related Content

Recommended Content