Error message "Can not convert logon name: lab\\tstuser1 to UPN error: 0" during IWA authentication in RSA  Access Manager
3 years ago
Originally Published: 2007-07-12
Article Number
000059643
Applies To
RSA Product Set: Access Manager 
RSA Product/Service Type: ​Web Agent IIS 4.7 
Platform: Microsoft Internet Information Services (IIS) 6.0, 5.0

 
Issue
Error during IWA authentication: 
<Error>:Can not convert logon name: lab\\tstuser1 to UPN, error: 0
<Error>:Can not convert logon name: lab\\tstuser1 to UPN, error: 0
<Debug>:Constructed upn: (null)
<Warning>:Failed to obtain upn
Cause
The problem may be insufficient privileges in Active Directory to retrieve the UPN of the user.
Resolution
Verify that there is a 2 way trust between the domain the user is in and the domain the webserver is in. For this step the user domain must trust the webserver domain.

An alternative solution would be to perform the IWA authentication on an IIS webserver that is in the same domain as the user. This would be done by specifying a full url (hostname included) for the IWA authentication form in the webagent.conf. The server that does IWA authentication must also have the Access Manager agent installed.

If you have verified the 2 way trust and still have the problem, it could be the account that the application pool in IIS6 is running as does not have sufficient privileges to look up the upn of the user in the other domain. Try running the application pool as a privileged user such as an administrator account to see if this is the case. Then either modify the original account or create a new account to run the application pool as.

IIS5 has a requirement that the iisinfo process run as LocalSystem. If this account is unable to perform the upn check then it is a limitation of the webserver version. To get past this issue, point the url for IWA authentication to an IIS6 webserver.
Notes
Access Manager/ClearTrust needs to determine the user identity after the IWA authentication has been performed in IIS. To insure uniqueness, the userid is converted to a UPN format by obtaining the UPN from the Active Directory domain where the user exists, and then looking up the user in the Access Manager datastore by the UPN.
Don't see what you're looking for?