After Microsoft Windows update
MS16-101 was applied on a Windows 10 server with the RSA Authentication Agent 7.3.1 for Windows, RDP logon fails to a destination server for challenged users. The authentication activity log shows the reason for failure is a node secret mismatch on the local agent, not from the destination server/workstation.
When a user launches an RDP session from this RSA-protected source machine, he sees the following screen:
Then he will see the following window if he is RSA challenged:
However, this logon always fails even with known good RSA username and passcode. The Security Console Authentication Activity monitor or report shows the following error:
Node secret mismatch; node secret cleared on agent but not on server.
The Source IP column in the Authentication Activity log lists the source Windows 10 machine, not the destination Windows server to which the user is creating an RDP session.
This behavior started after running Windows update MS16-101, which includes security updates for Windows authentication methods.