000030605 - Elevate Administrative Rights in LAC Agents

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030605
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent
RSA Version/Condition: 7.2.1
Platform: Windows
IssueElevating privileges of an unchallenged user to admin rights in LAC Agents under various scenarios
User-added image

Assume that the agent is installed according to the documentation and is working.

Scenario 1 : RSA AM (Authentication Manager)_and AD (Active Directory) services are available
  1. Login as non-challenged user (without admin privileges) and run the application as ‘Run as administrator’
  2. User will be challenged to elevate the privileges with 2 factor authentication
  3. Once the privileged user enters credentials (username + passcode + windows password), the application gets launched
Note: If the privileged user doesn’t have AD cache stored locally, prompt for Domain password appears again

Scenario 2 : RSA AM services are unavailable with offline authentication enabled and AD services are available
When all RSA AM Servers are unavailable, user with offline days will still be able to elevate the privileges with 2FA.

Scenario 3 : RSA AM service are unavailable with no offline authentication and AD services are available
When all RSA AM Servers are unavailable and privileged user has no offline days, then
  1. If Reserve Password is enabled, then the privileged user is prompted to enter the reserve password
 User-added image
  1. If Reserve Password is not enabled, then the operation is not permitted
Privileged user will be prompted for Reserve password once they have entered username + passcode.  This is because RSA Agent cannot find RSA AM and hence the prompt for Reserve password

Scenario 4 : RSA AM and AD services are unavailable
If both services are not available, elevation of user privileges is not permitted.