RSA Authentication Agent for Microsoft Windows: Domain users are not challenged when "Domain Users" group is nested in local "Users" group
Originally Published: 2018-07-05
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2.1.41 or later, 7.3, 7.3.1, 7.3.2, 7.3.3
Issue
2018-06-28 10:40:23.796 The Challenge Group sAMAccountName policy is .\Users
2018-06-28 10:40:23.796 There is no Enable Challenge policy or preference configured. DoNotEnableChallenge is being used as the programmatic default.
2018-06-28 10:40:23.796 Preference value for "FailOpen" doesn't exist.
2018-06-28 10:40:23.796 There is no Fail Open policy or preference configured. DoNotLocallyCacheUserChallengeType is being used as the programmatic default.
2018-06-28 10:40:23.796 groupDomainORworkstationName = workstation1, groupName = Users
2018-06-28 10:40:23.796 userDomainORworkstationName = domainA, userName = user123, fullGroupName = .\Users
2018-06-28 10:40:26.063 wsUserADsNTPath = WinNT://domainA/user123
2018-06-28 10:40:26.063 Recursively check group name: WinNT://workstation1/Users
2018-06-28 10:40:26.063 CheckDomainUserInLocalGroup] for user: WinNT://domainA/user123
2018-06-28 10:40:26.063 [ADSIHelper::StringSID] Domain name: domainA
2018-06-28 10:40:26.063 The user's compared String SID is WinNT://S-1-5-21-1687131260-2929665233-840903075-2196
2018-06-28 10:40:26.063 Fetched 0x4 group members, now looping through them.
2018-06-28 10:40:26.063 Nested group found: WinNT://NT AUTHORITY/INTERACTIVE
2018-06-28 10:40:26.063 wsGroupNTPath = WinNT://NT AUTHORITY/INTERACTIVE, gpDomainORworkstationName = , gpName =
2018-06-28 10:40:26.063 [ADSIHelper::ParseGroupName] fullGroupPath = NT AUTHORITY/INTERACTIVE
2018-06-28 10:40:26.063 groupDomainORworkstationName = NT AUTHORITY, groupName = INTERACTIVE
2018-06-28 10:40:26.063 The group is assumed to be a domain group
2018-06-28 10:40:26.063 Got interface to nested domain group, calling isUserMemberOfGroup() to check the group.
2018-06-28 10:40:26.220 Failed to set NT4 Name = NT AUTHORITY\INTERACTIVE
2018-06-28 10:40:26.220 Caught HRESULT:Cause
Resolution
Call RSA Technical Support to obtain this hotfix.
Workaround
Challenge: All users except
Group: .\Administrators
Related Articles
Check Point FireWall-1: How to challenge all HTTP access attempts without adding users and groups Number of Views Selective authentication with RSA Authentication Agent 8.0 for Web for IIS where challenge groups are not working Number of Views When user accesses URI the user is not challenged for authentication but the resource is protected in the Entitlements Man… Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views How to selectively challenge users and applications with RSA AD FS agent 1.x Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA Release Notes: Cloud Access Service and RSA Authenticators RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
Don't see what you're looking for?
