RSA Authentication Agent for Windows cannot determine challenge group if the user submits fully qualified domain name.(your domain.local).
1. Send domain name option is not selected in Agent control center..
2. User types domain name/<login name> and domain name is dropped by the Agent and authentication works as expected. Non-challenge user works as expected.
3. If the user types domain name.com/<login name> at login prompt, a non- challenge user gets challenged. RSA Agent does not drop the domain name.com as expected.
However, if the "send domain name" option is selected the domain name.com is sent intact as expected.
Example: When jsmith logs into the workstation, they enter for the username, "2k8r2-vcloud.local\jsmith", and enter the AD password.
Because the auth agent cannot determine the challenge setting for this user, it defaults to challenging the user. The end-result is the AM environment receives the authentication request from the Auth Agent, and an "authentication failed" event occurs.
*Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.163.2.187” in security domain “SystemDomain”.
Here is the log entry on Authentication Activity monitor for it:
Attempting to resolve user by userid or alias “2K8R2-VCLOUD.LOCAL\jsmith”. Request originated from agent “2k8r2-lac72-1.2k8r2-vcloud.local” with IP address “192.168.2.187” in security domain “SystemDomain”.
Here is an excerpt from the SIDAuthenticator(logonUI).log file:
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] wsGroupADsLDAPPath = LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getGroupADsLDAPPath] Return
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The group ADsPath is LDAP://CN=securid,CN=Users,DC=2k8r2-vcloud,DC=local
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Enter
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Failed to set NT4 Name = 2K8R2-VCLOUD.LOCAL\jsmith
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::getUserADsLDAPPath] Caught HRESULT: Name translation: Could not find the name or insufficient right to see name.
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] wsUserADsLDAPPath =
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::getUserADsLDAPPath] Return
2016-05-24 15:12:58.944 1188.2584 [V] [ADSIHelper::CheckDirectMember] The user ADsPath is
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Failed to get user path, throw E_FAIL
2016-05-24 15:12:58.944 1188.2584 [E] [ADSIHelper::CheckDirectMember] Caught HRESULT: (0x80004005)
This issue has been documented in defect AAWIN-2295.
This issue has been resolved in RSA Authentication Agent 7.2.1 build 122 for Windows and RSA Authentication Agent 7.3.1 build 37 for Windows. Contact RSA Technical Support to obtain most recent build of RSA Authentication Agent.
