Unable To Logon Using An Unchallenged Account After RSA Agent Upgraded

We upgraded the RSA agent for some of the Windows 2003 servers from version 6.1.3 to version 7.1.2. However, it was found out that we are not able to logon to the servers using an unchallenged account (i.e. an account which is not a member of the domain group where the members will be challenged). For those servers still using 6.1.3 agent, there is no issue when we logon using the same unchallenged account.

The below message will appears:

The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

After some troubleshooting, it was found out that the logon problem happened due to AD name translation failure for the challenged group KANDTI\RSAUsers.

The below steps were carried out to ensure that the challenged group has the same sAMAccountName and Common Name:

1.     Logon to a domain controller and click Start > Administrative Tools > Active Directory Users and Computers.

2.     On the View menu, select Advanced Features.

3.     Search for the group KANDTI\RSAUsers, right-click the group and open the Properties dialog.

4.     Click on the Object tab and note down the Canonical name of object (i.e. kandti.com/Users/RSAUsers).

5.     Click OK and exit from Active Directory Users and Computers.

6.     Click Start > Run and type adsiedit.msc and click OK.

7.     Under ADSI EDIT, expand DC=kandti,DC=com.

8.     Select CN=Users and look for CN=RSAUsers.

9.     Right-click CN=RSAUsers and open the Properties dialog.

10.   Click on the Attribute Editor tab and scroll down the attributes list to find the sAMAccountName attribute.

11.   Make sure the Value for the sAMAccountName is the same as the CN (i.e. both sAMAccountName and CN should be RSAUsers).

We are able to logon successfully after making the necessary change to sAMAccountName.