|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.3 
|Cause||In the December 2018 Windows 10 release the SHA256 hash computation runs slower, which has a huge impact when the agent must lookup offline day tokencodes or passcodes, which are not stored as clear text numbers but as mathematical hashes. The agent, using the Microsoft SHA256 hash would convert any user entered passcode to a hash then compare to all hashed codes stored in the dayfiles. |
This used to take about one second, but with the December 2018 Windows 10 release that hashing time jumped to eight seconds. Multiply that eight seconds by the acceptable tokencode window and multiple again if the user is assigned more than one token and the result is it often takes a very long time (that is, an elapsed times greater than 90 seconds) for the agent to perform an offline one time passcode (OTP) authentication.
It takes so long, in fact, that LogonUI seems to have exceeded a timeout (or something similar). Thus, when the agent's CredProvider eventually returns the user credentials, the LogonUI restarts the credential collection sequence instead of submitting the credentials to Winlogon for authentication.
There is probably code in the crypto libraries that uses the optimal instructions based on the CPU but falls back to the most portable algorithm if the CPU is not recognized [wmic cpu get name].
|Resolution||To resolve this issue, downoload and install RSA Authentication Agent 7.4.2  for Microsoft Windows. This build implements fixes from defect AAWIN-2510 (Improvements have been made to reduce the time needed to perform offline authentication in order to avoid blocking logon or unlock).|
Documentation and release notes for the agent can be found on the RSA Authenticaiton Agent for Microsoft Windows page.
As a wordaround the LogonUI timeout is controlled by the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.
|Notes||From the SIDAuthenticator(LogonUI).log:|
2019-03-20 00:38:51.803 nCurrentTime: 0x5c918b9b
2019-03-20 00:38:51.803 Cached challenge status for <UserID> is stale.
2019-03-20 00:38:51.803 fullGroupPath = <Dom>\<Challenge_Group>
2019-03-20 00:38:51.803 groupDomainORworkstationName = <Dom>, groupName = <Challenge_Group>
2019-03-20 00:38:51.803 m_userDomainORworkstationName = US, m_userName = <UserID>, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = false, m_bIsLocalGroup = false, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false
2019-03-20 00:38:52.041 pNameTranslate->Init failed, possibly the Global Catalog is not available.
2019-03-20 00:38:52.041 Caught HRESULT: The specified domain either does not exist or could not be contacted.
2019-03-20 00:38:52.041 ::CheckDirectDomainMember] Failed to get user path, throw E_FAIL
2019-03-20 00:38:52.041 getChallengeType has determined that the user is challenged.
2019-03-20 00:39:36.520 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:39:37.937 ::~CommonAuthenticator] Return
2019-03-20 00:40:07.908 ::LACAuthenticator] Enter
2019-03-20 00:40:07.908 Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2
2019-03-20 00:40:07.912 The Challenge Group sAMAccountName policy is <Dom>\<Challenge_Group>
2019-03-20 00:40:08.336 getChallengeType has determined that the user is challenged.
2019-03-20 00:40:13.550 SD_Init succeeded.
2019-03-20 00:40:47.180 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:40:47.681 ::~CommonAuthenticator] Return
2019-03-20 00:41:02.552 ::LACAuthenticator] Enter
2019-03-20 00:41:03.220 getChallengeType has determined that the user is challenged.
2019-03-20 00:41:08.327 ::getSIDUsername (char version)] Return
2019-03-20 00:41:59.996 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:42:00.576 ::~CommonAuthenticator] Return
2019-03-20 00:43:05.797 ::LACAuthenticator] Enter
2019-03-20 00:43:06.243 ::GetAuthDataDir] Return
2019-03-20 00:43:16.481 ::initAceClient] SD_Init succeeded.
2019-03-20 00:43:43.817 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:43:44.604 ::~CommonAuthenticator] Return
2019-03-20 00:43:58.907 ::LACAuthenticator] Enter
5x - AceGetDAAuthData success: token serial number = 0004******36
from 2019-03-20 00:39:36.520 to 2019-03-20 00:44:58.167
2019-03-20 00:30:25.884 13296.784 [V] [WindowsAccount::WindowsAccount] Enter
2019-03-20 00:38:51.803 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:40:07.906 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:43:58.907 13296.784 [V] [AuthMechWrapper::authenticate] Enter
2019-03-20 00:44:58.172 13296.784 [V] [WindowsAccount::setDomain] Enter
2019-03-20 00:44:58.176 authenticateResult from authenticate: returnCode=0 actionCode=0