This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to verify that RSA Authentication Agent for Windows can perform challenge user lookups across different Active Directory, AD Domains or Forests

Article Number

000039454

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x, 7.4, 7.3.x
Platform: Windows
Platform (Other): Challenge group for users across 2 Domains
O/S Version: 10
 

Issue

The RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide (auth_agent_install_admin_guide.pdf), p. 23 under Create Groups of Users to Challenge with RSA SecurID, states "Confirm that groups that you create are recognized by Active Directory, [AD] as a group and can be queried. For detailed instructions on creating groups, see your Microsoft Windows documentation."

This means that when user challenge is based on group membership (as opposed to challenge everyone), the user lookup involves a Get-ADPrincipalGroupMembership command, which might:
  1.  Simply look in all sub-domains under a single AD Domain, or
  2.  Need to lookup from one AD forest to another, different AD forest - in which case there would need to be a 'trust' relationship between forests, or this lookup will fail.

This Knowledge Base, KB article will demonstrate how to use Windows PowerShell Get-ADUser -Identity to verify that Windows agents can find an AD user in order to successfully challenge that user.

Symptoms that AD challenge User lookup failed
Windows Agent log file
===SIDAuthenticator(LogonUI).log===
ADsOpenObject failed.
[sidChallenge::checkCachedSettings] Cannot open challenge cache data key for user <UserID>
[ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = <Domain_NT4_name>\<UserID>

===SIDCredentialProvider(LogonUI).log===
[sidChallenge::checkCachedSettings] Caught error: 0x2
[sidChallenge::checkCachedSettings] userLocation = LOCATION_UNKNOWN
 

Task

  1. Procure a Windows platform that has Powershell.
  2. Ensure PowerShell includes the Active Directory Module.
  3. Test individual UserID lookups by SamAccountName or another identifying attribute, for example
        Get-ADUser -Identity <UserID>

Details
  1. Procure a Windows platform that has Powershell
    Image descriptionImage description
     
  2. Ensure PowerShell includes the Active Directory Module.
    Image descriptionImage description
    If the AD Module is not installed in PowerShell, you will get the CommandNotFoundException
    Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
     
  3. Test individual UserID lookups by SamAccountName or another identifying attribute, e.g.
        Get-ADUser -Identity <UserID>

    Image descriptionImage description

Resolution

Once you are satisfied that PowerShell is working and its Active Directory Module is installed, the basic command to lookup a UserID or SamAccountName is:

     Get-ADUser -Identity <UserID>
Where <UserID> is a logon name or SamAccountName.

A Successful lookup returns information about the UserID.
Image descriptionImage description

Notice that you can optionally search a specific Domain Controller Server with the -server setting.

An unsuccessful lookup returns User Not found, ObjectNotFound.

Image descriptionImage description
If you cannot find a specific UserID or SamAccountName with Get-ADUser -Identity from the Windows Agent, check the Authentication Manager Security Console to see if this userID exists in AM. Search across all Identity Sources if necessary.

Image descriptionImage description

If you have demonstrated that a UserID is visible in AM, but you have been unsuccessful in finding the same UserID with Get-ADUser -Identity, You might need to try various PowerShell Get-AD* commands in order to find an exact match on SamAccountName, or to search for an entire Domain by all users in specific organizational unit ou.

     Get-ADUser -Filter "SamAccountName -eq '<UserID>'" 
     Get-ADUser -server "<DomainControllerName>" -Identity <UserID>
     Get-ADUser -Filter * -SearchBase 'OU=vcloud Users,DC=2k12-vcloud,DC=local'              
- this last command gets all vcloud users from the ou – thousands!!!

You can check a found user's group memberships with the following commands
    Get-ADPrincipalGroupMembership <SamAccountName>
 
  Get-ADPrincipalGroupMembership <UserID> | select name

Image descriptionImage description
    
If you have multiple Domains and Forests, you might need to Get-ADUser -Identity for several different users from different Domains, Forests, or Authentication Manager Identity Sources.

 

Notes

Ultimately you might need to bring in the Directory team to get an understanding of the entire structure, in order to search across all directories.  Sometimes you will find it is simply easier and more secure, to challenge everyone and avoid the need to lookup across multiple forests.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-24 04:28 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.