000032683 - How to increase the maximum length of a reserve password hash for the RSA Authentication Agent for Windows 7.2.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032683
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent
RSA Agent Version/Condition:  7.2.1
Platform:  Windows , 
IssueBy default, the ReservePasswordHashGenerator creates an 80-character hash code, while the default Reserve Password domain policy takes a maximum of 79 characters.  This article provides information on modifying the MAXLEN value of the reserve password hash so that it is allows for an additional character. 
Because of this discrepancy when the ADM\RSA Desktop\Local Authentication Settings\Reserve Password policy is enabled and the hash is set, the data pasted from the  ReservePasswordHashGenerator to the Reserve Password text box does not fit resulting in a non-functional reserve password. 
In the agent’s ADM templates, strings are allocated and stored in the registry as MAXLEN-1 because one character was needed to account for the trailing null that is needed when a string is written to the registry as a REG_SZ or REG_EXPAND_SZ. 
Technet Microsoft says that the string in the text box is limited to this defined length, so the trailing null should be in addition to the value of MAXLEN and not built into it.
Editing the attached RSA_Authentication_Agent.adm file will correct the MAXLEN value to accommodate the trailing null.

ResolutionTo resolve this issue, follow the steps below:
  1.  Download the Authentication Agent for Microsoft Windows.
  2.  Unzip the files in the archive and navigate to the RSA_Authentication_Agent_7.2.1\Policy Templates folder.
  3.  Open the RSA_Authentication_Agent.adm file in a text editor.
  4.  Look for the line below:


  5.  Change to MAXLEN 81, as below:

  6.  Save and close the file.
  7.  Download the attached the ReservePasswordHashGenerator zip file and save it on a local windows machine.
  8.  Unzip the files in the archive and navigate to the appropriate folder based upon the windows architecture (32 / 64 bit).
  9.  Double click the installer and run through Windows install wizard.
10. Click on Finish once the installation is complete.
11. Goto Start > All Programs > RSA and click on RSA Reserve Password Hash Generator which opens a command prompt as in the
     below screen shot.

User-added image


12.  Enter the Reserve password meeting the requirements and confirm the same to generate the 80 character Reserve password hash.
User-added image

13.  The 80 character Reserve password hash generated using the ReservePasswordHashGenerator could now be entered 
14.  Take the agent machine off the network to test the new reserve password.