This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Windows Agent failing to authenticate local Group Membership with 30 Secs timeout

Article Number

000039707

Applies To

RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x
Platform: Windows
Platform (Other): Challenge a local group of Domain Admin (AD users)
O/S Version: 10

Issue

Windows Agent failing to authenticate local user group.
  1. Authentication on Windows Agent, when RDP on a Windows machine, is taking more than 30 Seconds then it times out.
  2. Challenge settings are made through GPO ( Challenge Users In .\Administrators ) 
  3. Local Administrators Group contains (EXAMPLE\Domain Admins) which means that the local group has an Active directory Group inside it ( mapped to it ) 
  4. Windows Agent logs are showing the below:

SIDAuthenticator(RSANotificationIcon).log

Got interface to nested domain group, calling isUserMemberOfGroup() to check the group.
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getGroupDnLDAPPath] Enter
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:56:17.717 6392.3976 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:56:17.717 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:56:17.733 6392.3976 [E] [ADSIHelper::getGroupDnLDAPPath] Failed to set NT4 Name = NT AUTHORITY\INTERACTIVE
2021-05-18 18:56:17.733 6392.3976 [W] [ADSIHelper::getGroupDnLDAPPath] ERROR_DS_NAME_ERROR_NOT_FOUND: Name Translation: Could not find the name or insufficient right to see name
2021-05-18 18:56:17.733 6392.3976 [I] [ADSIHelper::getGroupDnLDAPPath] Returning:
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getGroupDnLDAPPath] Return
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUserADsLDAPPath] Enter
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:56:17.733 6392.3976 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:56:17.733 6392.3976 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::getUserADsLDAPPath] Returning: LDAP://CN=A-NMA,CN=Users,DC=korry,DC=com
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::getUserADsLDAPPath] Return
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::isUserMemberOfGroup] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::openLdapADsObject<IDirectorySearch>] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::getAdsiBindingFlags] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [RsaDesktopConfig::RsaDesktopConfig] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [RsaDesktopConfig::RsaDesktopConfig] Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::isUserMemberOfGroup] Returning: false bInGroup: false Group: User: LDAP://CN=A-NMA,CN=Users,DC=korry,DC=com
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::isUserMemberOfGroup] Return
2021-05-18 18:56:17.749 6392.3976 [W] [ADSIHelper::recursiveIsUserInGroup] isUserMemberOfGroup() call returned false, indicating an error during processing, so breaking out of loop
2021-05-18 18:56:17.749 6392.3976 [I] [ADSIHelper::recursiveIsUserInGroup] bReturning false, bUnresolvedSIDFound = false, bInGroup = false
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::CheckDomainUserInLocalGroup] Return
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::~ADSIHelper] Enter
2021-05-18 18:56:17.749 6392.3976 [V] [ADSIHelper::~ADSIHelper] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::queryAdsiForUserLocation] Returning: userLocation = LOCATION_UNKNOWN
2021-05-18 18:56:17.749 6392.3976 [V] [sidChallenge::queryAdsiForUserLocation] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroup] Returning: userLocation = LOCATION_UNKNOWN
2021-05-18 18:56:17.749 6392.3976 [V] [sidChallenge::checkUserInGroup] Return
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] Indeterminate result for challenge group: .\Users
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] The user was not found, but the search was indeterminate
2021-05-18 18:56:17.749 6392.3976 [I] [sidChallenge::checkUserInGroups] Returning: userLocation = LOCATION_UNKNOWN

SIDAuthenticator(LogonUI).log

2021-05-18 18:40:16.174 3380.5508 [I] [ADSIHelper::recursiveIsUserInGroup] Got interface to nested domain group, calling isUserMemberOfGroup() to check the group.
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getGroupDnLDAPPath] Enter
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getUseLDAPHint] Enter
2021-05-18 18:40:16.174 3380.5508 [I] [ADSIHelper::getUseLDAPHint] Returning: true
2021-05-18 18:40:16.174 3380.5508 [V] [ADSIHelper::getUseLDAPHint] Return
2021-05-18 18:40:16.190 3380.5508 [E] [ADSIHelper::getGroupDnLDAPPath] Failed to set NT4 Name = NT AUTHORITY\INTERACTIVE
2021-05-18 18:40:16.190 3380.5508 [W] [ADSIHelper::getGroupDnLDAPPath] ERROR_DS_NAME_ERROR_NOT_FOUND: Name Translation: Could not find the name or insufficient right to see name
2021-05-18 18:40:16.190 3380.5508 [I] [ADSIHelper::getGroupDnLDAPPath] Returning:


 

Cause

The issue is that the Windows Agent cannot locate the user or even the MembershipGroup, which is an AD Group that belongs in the EXAMPLE\Domain Admins Group.
While the challenge settings configured to challenge Local Group Users Only, despite the fact that EXAMPLE\Domain Admins Groups is added in the Local Group users on the machine.

Resolution

  • You either challenge a Local group of users ( It has to be a user Group added Locally only ) or an AD User Group. 
    • So either .\<Local group> or <Domain>\<Domain Group>
  • Adding an AD User Group to the local Group on the windows machine through the Computer Management > Local Users and Groups will force the authentication to Fail after entering an Endless LOOP to find the user. 

 

Notes

Since Windows Agent is using ADSI to access the features of directory services like determining the GroupMembership in the AD , Distinguished Names cannot contain few special characters, as the Agent will enter the same loop and fails at the end.
like the ones below:
 
Comma,
Backslash & Forward character \   /
Pound sign (hash sign)#
Plus sign+
Less than symbol<
Greater than symbol>
Semicolon;
Double quote (quotation mark)"
Equal sign=
Leading or trailing spaces 
Hint:
ADSI is an Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).
Tags (73)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-06-01 11:40 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.