Currently I'm having issue configuring 2FA:
2) RSA SecurID token
I'm able to login if I make user to key in their username twice. But if I configure the Username2 as predefined variable <USER>, the 2nd authentication will fail.
#FAIL (Username2 predefined)
RSA logs show single authentication the username input is "yonathan", while 2FA setup the username input is "DOMAIN\yonathan". How can I remove the "DOMAIN" input from 2FA predefined username? I've tried enabled and disabled the AD server option "Allow domain to be specified as part of username" result is the same.
The error log from MAG:
- Primary authentication successful for yonathan/AD1 from 10.x.x.x
- LDAP : Could not bind to LDAP server code=49 'Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772'
- Password realm restrictions successfully passed for DOMAIN\yonathan/Corporate
- Secondary authentication failed for DOMAIN\yonathan/RSA1 from 10.x.x.x
- Login failed using auth server RSA1 (Radius Server). Reason: Failed
The error log from RSA:
Sample RSA fail log (MAG 2FA realm)
- Activity Key: Resolve principal by userid/alias
- Description: Attempting to resolve user by userid or alias DOMAIN\yonathanÓ. Request originated from agent agent1Ó with IP address 10.x.x.xÓ in security domain SystemDomainÓ
- Action Result Key: Failure
- Result Key: AUTH_RESOLUTION_FAILED_BY_ID_ALIAS
- Result: Unable to resolve user by login ID and/or alias, or authenticator not assigned to user
Sample RSA success log (MAG single authentication realm/manual specified username)
- Activity Key: Principal authentication
- Description: User yonathanÓ attempted to authenticate using authenticator SecurID_NativeÓ. The user belongs to security domain SystemDomainÓ
- Action Result Key: Success
- Result Key: AUTHN_METHOD_SUCCESS
- Result: Authentication method success
Change the variable to <USERNAME> It won't include the domain.