|Applies To||RSA Product Set: SecurID Access|
RSA Product/Service Type: MFA Agent for Microsoft Windows
|Issue||When launching an application using the Windows Run as option on an RSA MFA Agent for Microsoft Windows-protected Windows machine, the user is again prompted for their Windows credentials and additional multi-factor authentication (MFA).|
To disable this extra authentication step for a Run as scenario perform the steps outlined below.
|Resolution||First, enable the Specify Remote Desktop Applications that Do Not Require RSA SecurID group policy object (GPO) setting and add "C:\Windows\explorer.exe" to the Fully-Qualified Application Path(s) within the setting as follows:|
Steps for accessing the GPO setting differ depending on whether or not GPO settings are managed by a domain controller or not. See the information below:
To access the GPO template on a Domain Controller:
|Notes||Please note that when this policy setting is Disabled or Not Configured, the RSA MFA Agent for Microsoft Windows automatically excludes Microsoft Remote Desktop Connection initiation from additional prompting for MFA.|
If this setting is enabled and the default RDP behavior is desired, then "C:\Windows\System32\CredentialUIBroker.exe" or "C:\Windows\System32\\mstsc.exe" (depending on the Windows version) must be explicitly added to the list of Fully-Qualified Application Path(s) within the policy setting.