Article Number
000031680
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.4.1X, 10.5.0.X
Platform: CentOS
Issue
When using AD external authentication with "userPrincipalName" as the user login attribute, if the upn username exceeds 20 characters, Security Analytics fails to authenticate the user.
To see this issue, create an AD user with a username greater than 20 characters. An example would be the upn of myBigLongUserNameIsVeryLong@mydomain.com. The username is myBigLongUserNameIsVeryLong, the domain suffix for the upn is mydomain.com and the @ is a delimiter. Although the username entered is correct, SA cannot resolve the name when it is above 20 characters, and the authentication fails. Note that the samAccountName by default is restricted via AD schema in AD to 20 characters, but the username portion of the upn in AD has no such restriction. As well, the internal database for SA also imposes no restriction.
Cause
This has been determined to be flawed functionality in version 10.X through 10.5.0.X
Resolution
This issue is fixed in 10.5sp1. 10.5sp1 may be downloaded from
https://knowledge.rsasecurity.com.
Workaround
If you are unable to upgrade, create an internal user for the failing account(s), or use samAccountName vs upn for the login attribute.
