000038986 - Enable a web proxy for RSA MFA Agent for Microsoft Windows

Document created by RSA Customer Support Employee on Jun 29, 2020Last modified by RSA Customer Support Employee on Jun 29, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038986
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: MFA Agent for Microsoft Windows
RSA Version/Condition: 1.1, 1.2
 
IssueA user is unable to connect or authenticate with the RSA MFA Agent for Microsoft Windows when the machine has a web proxy configuration enabled.
TasksTasks to complete include:
  1. Enable the proxy configurations on the machine.
  2. Go to the REG_BINARY key related to the proxy configuration for the machine.
  3. Export the DefaultConnectionSettings registry key.
  4. Modify the registry key with the new path for the local user account.
  5. Import the new registry key.
  6. Enable the MFA Agent for Microsoft Windows GPO for online and offline authentication.
  7. Test the agent to confirm that both online and offline authentication are successful.
Resolution
  1. Enable the proxy configurations for the windows machine.
    1. Log in to the Windows machine as a domain admin user.
    2. Click Start and search for Internet Options.
    3.  Go to Connections > LAN Settings.
    4. Under Proxy Server, enter your proxy server information.
    5. Click OK when done.

Proxy configurations


  1. Click Start and search for regedit. Right click and Run as Administrator.

    1. A REG_BINARY value will be created with the name DefaultConnectionSettings, and it must be filled with the web proxy information.
    2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections. You will see a REG_BINARY key named DefaultConnectionSettings.

Proxy registery key


If you opened the registry key, you will find the information for the proxy you configured in Connections > LAN Settings.


  1. Export the DefaultConnectionSettings key by selecting the registry key and selecting File > Export. Save the export key with the name DefaultConnectionSettings.

export_key


  1.    Modify the registry key to import again with different location.
    1. The easiest way is to open the registry key with a text editor and modify the registry key location.
    2. In the registry file, you will find the exported location that was browsed to in step 2.
    3. Modify this location with the new location for the local user account; that is, HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.
    4. Save and close the file.

modify_1
 


modify_2


  1. Import the updated registry key (File > Import) and browse to the location of the key. The key will automatically be imported in the location for the local users account as specified by modifying the file in steps 4.

import key


You can create a GPO with the registry key values and be pushed to all the machines in your domain.



  1. Enable the GPO for Online/Offline Authentication to the Cloud Authentication Service.

  • To enable Online Cloud Authentication Service Authentication:

Enable_online_CAS


  • To enable Offline Cloud Authentication Service Authentication:

Offline_Auth


For more details about the RSA MFA Agent for Microsoft Windows and GPO configurations, see the RSA MFA Agent 1.2 for Microsoft Windows Installation and Administration Guide and the RSA MFA Agent 1.2 for Microsoft Windows Group Policy Object Template Guide.



  1. To test authentication, open the RSA MFA Agent for Microsoft Windows test utility.
    1. Test online authentication first. After a successful authentication, wait 60 seconds to download the offline days. Ensure that the offline days are downloaded by watching the user event monitor on the Cloud Admin Console).
    2. Test offline authentication.
NotesIn RSA Authentication Manager 8.5, you will not need to configure domain machines with proxies, as you can use RSA Authentication Manager as a secure proxy server that sends any authentication requests from methods that RSA Authentication Manager cannot validate directly to the Cloud Authentication Service. This configuration supports cloud-based authentication for REST protocol authentication agents, such as RSA Authentication Agent 8.0 for PAM (or later), RSA MFA Agent for Microsoft Windows 1.0 (or later), and RSA Authentication Agent 2.0 for Microsoft AD FS (or later).

 

Attachments

    Outcomes