000038325 - Disable multi-factor authentication (MFA) prompt for Run as on machine on which the RSA MFA Agent for Microsoft Windows is installed

Document created by RSA Customer Support Employee on Jan 14, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038325
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent for Microsoft Windows
IssueWhen launching an application using the Windows Run as option on an RSA MFA Agent for Microsoft Windows-protected Windows machine, the user is again prompted for their Windows credentials and additional multi-factor authentication (MFA).

To disable this extra authentication step for a Run as scenario perform the steps outlined below.
ResolutionFirst, enable the Specify Remote Desktop Applications that Do Not Require RSA SecurID group policy object (GPO) setting and add "C:\Windows\explorer.exe" to the Fully-Qualified Application Path(s) within the setting as follows:
 

Steps for accessing the GPO setting differ depending on whether or not GPO settings are managed by a domain controller or not.  See the information below:



To access the GPO template on a Domain Controller:



  1. Click Start > Administrative Tools > Group Policy Management.

    • If necessary, double-click the domain name in the left-hand frame to expand it.
    • If necessary, double-click Group Policy Objects to expand it.
  2. Right-click the policy with the template you need to edit; for example, Default Domain Policy and click Edit.
  3. Double-click Policies from Computer Configuration.
  4. Double-click Administrative Templates: Policy definitions (ADMX files).
  5. Double-click RSA Desktop.
  6. Click on Local Authentication Settings.
  7. Follow instructions below to complete the task.


To access the GPO Template directly on MFA Agent machine:



  1. Click Start > Run > gpedit.msc.
  2. Double-click Administrative Templates.
  3. Double-click RSA Desktop.
  4. Click on Local Authentication Settings.
  5. Follow instructions below to complete the task.


For either option,



  1. Once inside Local Authentication Settings, double click Specify Remote Desktop Applications that Do Not Require RSA SecurID
  2. Enable the setting and then add C:\Windows\explorer.exe to the list of Fully-Qualified Application Path(s) within the setting.
NotesPlease note that when this policy setting is Disabled or Not Configured, the RSA MFA Agent for Microsoft Windows automatically excludes Microsoft Remote Desktop Connection initiation from additional prompting for MFA.

If this setting is enabled and the default RDP behavior is desired, then "C:\Windows\System32\CredentialUIBroker.exe" or "C:\Windows\System32\\mstsc.exe" (depending on the Windows version) must be explicitly added to the list of Fully-Qualified Application Path(s) within the policy setting.

Attachments

    Outcomes