000029685 - Next tokencode in RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029685
Applies To
RSA Product SetSecurID
RSA Product/Service TypeRSA Authentication Manager
RSA Version/Condition8.1 SP1
PlatformSUSE Enterprise Linux
Platform (Other) 
O/S Version11 SP3
Product Name 
Product DescriptionSecurID Appliance
IssueSoftware / hardware tokens are reported to be going into next tokencode mode.
TasksTroubleshooting tasks: 
  • Check the software version being used by the primary instance and replica instance(s) as all Authentication Manager instances should be using the same software version and the latest available software.
  • Check the replication between the primary instance and replica instance(s).  Replication failing will eventually cause a problem with end user authentications.
  • Check the time difference between the primary instance and replica instance(s) as there should not be a difference of more than one to two minutes between any Authentication Manager instance.
  • Run an authentication activity report and check to see which end user(s) are constantly being prompted for a next tokencode.
  • In the authentication activity report also check which Authentication Manager is processing end user authentications and which Authentication Agent is sending the end user authentications. Should it be seen that a majority of the authentications are coming from one Authentication Agent then a review of the Authentication Agent configuration may be required, with further authentication testing.
ResolutionEnd users entering incorrect passcodes
End users entering incorrect passcodes can invoke next tokencode mode. Updating the Token Policy setting 'Incorrect Passcodes' allows users to enter a limited or unlimited number of incorrect passcodes. When the limit is exceeded and followed by a correct passcode, users are prompted to enter the next tokencode that is displayed on their tokens.
Understanding the token synchronization range
The token seed record XML defines the token range of the tokens.
An example from a token seed XML file:

*  the values are in seconds and cannot be manually changed in the token seed XML file.
Token synchronization range table:
User-added image
Relationship between the token seed XML and the token synchronization range shown in the table above:
<DefSmallWin>Automatic Range
<DefMediumWin>Accept with Next Code
<DefLargeWin>Maximum Limit

 The DefSmallWin indicates the time interval when a user can successfully enter a tokencode without triggering next tokencode mode (+/- 1 interval ; 3 codes)
User-added image
User-added image
Both the DefMediumWin and DefLargeWin indicate longer time intervals when a user will be prompted for the next tokencode (NTC). Any tokencode entered outside of the DefLargeWin will fail an authentication.  This has nothing to do with invalid passcodes being entered by the user.
Next tokencode and token resynchronization will update the token offset value stored in the token record to ensure the token record remains in the Automatic Range (DefSmallWin) for subsequent authentications. Where the time has a difference of +/- 12 hours then the token offset cannot be updated and authentications will fail.
RSA recommends the use of the Network Time Protocol (NTP) with Authentication Manager instances to ensure the time remains stable.  This is because clock changes can impact the token offset, meaning end users are likely to be prompted for next token code during an authentication.  If there has been a big clock change (placing the token outside of the maximum limit) then authentications can fail.