000037935 - RSA Authentication Manager 8.4 responds to authentication requests coming from RSA Authentication Agent 2.0 for Active Directory Federation Services (AD FS) with a delay of 20 seconds

Document created by RSA Customer Support Employee on Sep 18, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037935
Applies ToRSA Product Set: SecurID
RSA Product/Service Type:  Authentication Agent for Active Directory Federation Services (AD FS)
RSA Version/Condition: 2.0
IssueUsers are in Active Directory and authenticating from a machine where the RSA Authentication Agent 2.0 for Active Directory Federation Services (AD FS) is installed and enabled with two-factor authentication. The end user experiences a 20 second delay in authentication from the AD FS agent.  Authentication from all other agent hosts appears to be normal.
CauseThe delay is caused by a DNS lookup on the hostname of the AD FS agent by Authentication Manager. In theory, since the AD FS agent uses the REST API, any logical name can be used to define the agent in Authentication Manager. It is unexpected that the Authentication Manager does DNS lookup on agents using REST API, hence the delay.
ResolutionThis issue has been reported as defect AM-35049 and it is resolved in RSA Authentication Manager 8.4 patch 7.
  • Define the agent within the Security Console with a fully qualified host name (Access > Authentication Agent > Manage Existing or Add New).
  • Make sure that the agent is resolvable in the page by clicking Resolve IP or Resolve Hostname.
  • Verify that the hostname is resolved by DNS using nslookup <hostname> via command line.
  • Confirm that the agent name matches with the actual name of the machine with the RSA Authentication Agent 2.0 for Active Directory Federation Services (AD FS) installed.