RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Windows
O/S Version: Server 2012 R2
RSA Authentication Agent for Windows cannot determine challenge group if the user submits fully qualified domain name.(your domain.local).
1. Send domain name option is not selected in Agent control center..
2. User types domain name/<login name> and domain name is dropped by the Agent and authentication works as expected. Non-challenge user works as expected.
3. If the user types domain name.com/<login name> at login prompt, a non- challenge user gets challenged. RSA Agent does not drop the domain name.com as expected.
However, if the "send domain name" option is selected the domain name.com is sent intact as expected.
Example: When jsmith logs into the workstation, they enter for the username, "2k8r2-vcloud.local\jsmith", and enter the AD password.
Because the auth agent cannot determine the challenge setting for this user, it defaults to challenging the user. The end-result is the AM environment receives the authentication request from the Auth Agent, and an "authentication failed" event occurs.
*Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.163.2.187” in security domain “SystemDomain”.
Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.168.2.187” in security domain “SystemDomain”.
Here is an excerpt from the SIDAuthenticator(logonUI).log file:
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] wsGroupADsLDAPPath = LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] Return 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The group ADsPath is LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Enter 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = 2K8R2-VCLOUD.LOCAL\jsmith 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Caught HRESULT: Name translation: Could not find the name or insufficient right to see name. 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] wsUserADsLDAPPath = 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Return 2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The user ADsPath is 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Failed to get user path, throw E_FAIL 2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Caught HRESULT: (0x80004005)
Related Articles
Send both user name and domain name to the server during an RSA Authentication Agent for Windows authentication request Number of Views RSA Authentication Agent for Microsoft Windows: Domain users are not challenged when "Domain Users" group is nested in loc… Number of Views How to authenticate to an RSA Authentication Agent for Windows as user@domain.com with NTLM to UPN name mapping Number of Views Users cannot authenticate with login name in domain\sAMAccountName format using MFA Agent 2.0.1 Number of Views How to verify that RSA Authentication Agent for Windows can perform challenge user lookups across different Active Directo… Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
