000037484 - Offline logon failure then loop back to login screen RSA Authentication Agent 7.3.3 [99] for Windows

Document created by RSA Customer Support Employee on Jul 26, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037484
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.3 [99]
  • Offline authentications on RSA Authentication Agent for Windows 7.3.3 [99] fail with no message; it just loops back to the Credential Provider Logon Screen several times, before finally working.
  • Slowness in reading or decrypting the offline day files
CauseIn the December 2018 Windows 10 release the SHA256 hash computation runs slower, which has a huge impact when the agent must lookup offline day tokencodes or passcodes, which are not stored as clear text numbers but as mathematical hashes.  The agent, using the Microsoft SHA256 hash would convert any user entered passcode to a hash then compare to all hashed codes stored in the dayfiles. 

This used to take about one second, but with the December 2018 Windows 10 release that hashing time jumped to eight seconds.  Multiply that eight seconds by the acceptable tokencode window and multiple again if the user is assigned more than one token and the result is it often takes a very long time (that is, an elapsed times greater than 90 seconds) for the agent to perform an offline one time passcode (OTP) authentication.

It takes so long, in fact, that LogonUI seems to have exceeded a timeout (or something similar). Thus, when the agent's CredProvider eventually returns the user credentials, the LogonUI restarts the credential collection sequence instead of submitting the credentials to Winlogon for authentication.

There is probably code in the crypto libraries that uses the optimal instructions based on the CPU but falls back to the most portable algorithm if the CPU is not recognized [wmic cpu get name].

Log analysis

  1. The user submits credentials at UTC 00:38:51:

2019-03-20 00:38:51.773 13296.784 [V] [Credential::GetSerialization -- MAIN] Enter

  1. We take ~45 seconds to return credentials to LogonUI. 

2019-03-20 00:39:36.527 13296.784 [I] [Credential::GetSerialization_OriginalDesign] authenticateResult from authenticate: returnCode=0 actionCode=0 
2019-03-20 00:39:37.874 13296.784 [V] [Credential::GetSerialization -- MAIN] Return

  1. LogonUI starts to unwind the authentication attempt without attempting authentication with the credentials that we have returned. 

2019-03-20 00:39:37.874 13296.784 [V] [Credential::UnAdvise] Enter

  1. If credentials had been submitted, the next call in the SIDCredProvider log would have been 

[Credential::ReportResult] Enter
ResolutionTo resolve this issue, downoload and install RSA Authentication Agent 7.4.2 [122] for Microsoft Windows.  This build implements fixes from defect AAWIN-2510 (Improvements have been made to reduce the time needed to perform offline authentication in order to avoid blocking logon or unlock).

Documentation and release notes for the agent can be found on the RSA Authenticaiton Agent for Microsoft Windows page.

As a wordaround the LogonUI timeout is controlled by the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.

Add a DWORD Value: IdleTimeOut and set to 120000, equal to two minutes.

NotesFrom the SIDAuthenticator(LogonUI).log:
2019-03-20 00:38:51.803 nCurrentTime: 0x5c918b9b 
2019-03-20 00:38:51.803 Cached challenge status for <UserID> is stale. 

2019-03-20 00:38:51.803 fullGroupPath = <Dom>\<Challenge_Group> 
2019-03-20 00:38:51.803 groupDomainORworkstationName = <Dom>, groupName = <Challenge_Group> 
2019-03-20 00:38:51.803 m_userDomainORworkstationName = US, m_userName = <UserID>, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = false, m_bIsLocalGroup = false, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false 

2019-03-20 00:38:52.041 pNameTranslate->Init failed, possibly the Global Catalog is not available. 
2019-03-20 00:38:52.041 Caught HRESULT: The specified domain either does not exist or could not be contacted. 

2019-03-20 00:38:52.041 ::CheckDirectDomainMember] Failed to get user path, throw E_FAIL 
2019-03-20 00:38:52.041 getChallengeType has determined that the user is challenged. 
2019-03-20 00:39:36.520 AceGetDAAuthData success: token serial number = 0004******36 

2019-03-20 00:39:37.937 ::~CommonAuthenticator] Return 
2019-03-20 00:40:07.908 ::LACAuthenticator] Enter 
2019-03-20 00:40:07.908 Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2 
2019-03-20 00:40:07.912 The Challenge Group sAMAccountName policy is <Dom>\<Challenge_Group> 
2019-03-20 00:40:08.336 getChallengeType has determined that the user is challenged. 

2019-03-20 00:40:13.550 SD_Init succeeded. 
2019-03-20 00:40:47.180 AceGetDAAuthData success: token serial number = 0004******36 
2019-03-20 00:40:47.681 ::~CommonAuthenticator] Return 
2019-03-20 00:41:02.552 ::LACAuthenticator] Enter 
2019-03-20 00:41:03.220 getChallengeType has determined that the user is challenged. 
2019-03-20 00:41:08.327 ::getSIDUsername (char version)] Return 
2019-03-20 00:41:59.996 AceGetDAAuthData success: token serial number = 0004******36 
2019-03-20 00:42:00.576 ::~CommonAuthenticator] Return 
2019-03-20 00:43:05.797 ::LACAuthenticator] Enter 
2019-03-20 00:43:06.243 ::GetAuthDataDir] Return 
2019-03-20 00:43:16.481 ::initAceClient] SD_Init succeeded. 
2019-03-20 00:43:43.817 AceGetDAAuthData success: token serial number = 0004******36 
2019-03-20 00:43:44.604 ::~CommonAuthenticator] Return 
2019-03-20 00:43:58.907 ::LACAuthenticator] Enter 

5x - AceGetDAAuthData success: token serial number = 0004******36 
from 2019-03-20 00:39:36.520 to 2019-03-20 00:44:58.167 

2019-03-20 00:30:25.884 13296.784 [V] [WindowsAccount::WindowsAccount] Enter 
2019-03-20 00:38:51.803 ::startInputCapture] Hidden dialog created, showing wait cursor. 
2019-03-20 00:40:07.906 ::startInputCapture] Hidden dialog created, showing wait cursor. 
2019-03-20 00:41:02.551 
2019-03-20 00:43:05.794 
2019-03-20 00:43:58.906 
2019-03-20 00:43:58.907 13296.784 [V] [AuthMechWrapper::authenticate] Enter 
2019-03-20 00:44:58.172 13296.784 [V] [WindowsAccount::setDomain] Enter 
2019-03-20 00:44:58.176 authenticateResult from authenticate: returnCode=0 actionCode=0