000032683 - Increase the maximum length of a reserve password hash for the RSA Authentication Agent 7.x for Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000032683
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for WIndows
RSA Agent Version/Condition:  7.x
IssueBy default, the ReservePasswordHashGenerator creates an 80-character hash code, while the default Reserve Password domain policy takes a maximum of 79 characters.  This article provides information on modifying the MAXLEN value of the reserve password hash so that it is allows for an additional character. 
 
Because of this discrepancy when the ADM\RSA Desktop\Local Authentication Settings\Reserve Password policy is enabled and the hash is set, the data pasted from the ReservePasswordHashGenerator to the Reserve Password text box does not fit, resulting in a non-functional reserve password. 
 
In the agent’s ADM templates, strings are allocated and stored in the registry as MAXLEN-1 because one character was needed to account for the trailing null that is needed when a string is written to the registry as a REG_SZ or REG_EXPAND_SZ. 

Microsoft Technet has an article entitled "Classic ADM file in Windows 2008: MAXLEN error," which says that the string in the text box is limited to this defined length, so the trailing null should be in addition to the value of MAXLEN and not built into it.
 
Editing the attached RSA_Authentication_Agent.adm file will correct the MAXLEN value to accommodate the trailing null.


 
ResolutionTo resolve this issue, follow the steps below:
  1. Download the RSA Authentication Agent for Microsoft Windows.
  2. Unzip the files in the archive and navigate to the RSA_Authentication_Agent_<version>\Policy Templates\adm folder.
  3. Open the RSA_Authentication_Agent.adm file in a text editor.
  4. Look for the line below:

PART !!LAC_RESERVE_PASSWORD_LABEL EDITTEXT VALUENAME "ReservePassword" MAXLEN 80


  1. Change the value for MAXLEN to 81, as shown:

PART !!LAC_RESERVE_PASSWORD_LABEL EDITTEXT VALUENAME "ReservePassword" MAXLEN 81


  1. Save and close the file.
  2. Download ReservePasswordHashGenerator zip file attached to this article and save it on a local Windows machine.
  3. Unzip the files in the archive and navigate to the appropriate folder based upon the Windows architecture (32- or 64-bit).
  4. Double click the installer and run the Windows install wizard.
  5. Click on Finish when the installation is complete.
  6. Go to Start > All Programs > RSA and click on the RSA Reserve Password Hash Generator, which opens a command prompt as shown:

User-added image


  1. Enter a reserve password that meets the requirements and confirm the same to generate the 80-character reserve password hash.

User-added image


  1. The 80-character reserve password hash generated using the ReservePasswordHashGenerator can now be entered 
  2. Take the agent machine off the network to test the new reserve password.

Outcomes