Issues when users authenticate to access Active Directory remotely

I have installed PrivacyIDEA on Active Directory to enable 2FA authentication when users access Active Directory remotely. The setup works when testing using domain credentials (Mr.A\domain) on Windows client machines, but I am encountering issues when users authenticate to access Active Directory remotely.

Issue:

  • Users Mr.A\domain and Mr.B\domain have valid tokens assigned in PrivacyIDEA, and it works fine on their local Windows machines.
  • However, when they attempt to remotely access Active Directory (where PrivacyIDEA is installed to enforce 2FA), they receive an error stating:

“The user is not assigned tokens.”

  • The problem persists even though both users are already in the Administrators group in AD.

What I Have Observed:

I tried accessing a Windows client machine remotely with different users. Some users encountered the same error, while others, who were only in the Users group, were able to log in successfully. After adding the affected users to both the Users and Administrators groups on the machine, the issue was resolved. However, I am not sure how to fix the issue when accessing Active Directory itself using remote access.

Question:

What could be causing PrivacyIDEA 2FA authentication to fail for Active Directory users when accessing AD remotely? Why does adding users to both Users and Administrators groups resolve the issue on the client machine, and how can I properly configure this in AD? Are there any additional Group Policy settings, LDAP configurations, or AD permissions that I should check?

Any insights would be greatly appreciated! Thanks.

Please check the audit log for the corresponding /validate/check entry and check the user and realm entries.
privacyIDEA splits the username and the domain and tries to match the domain to a configured realm.
The assignment of a token to a user is based on the user id, the realm and the resolver. If they don’t match, the token can not be found.