000029627 - Re-authenticating with on demand authentication (ODA) fails after web agent session timeout

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029627
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web
RSA Version/Condition: 7.1.2 for IIS
Platform: Windows
Platform (Other): null
O/S Version: 2008 Server R2 Standard (64 bit)
Product Name: RSA-0010010
Product Description: RSA Authentication Manager

After the session times out on a website protected with the RSA Web Agent v7.1.3, the user is prompted to reauthenticate. The re-authentication process then goes as follows: 
1. In the authentication window, the user enters his userID in the User Name field and the ODA PIN in the Passcode field. 
2. A new authentication window pops-up, with the error message "Authentication Failed. In this window, the User Name field is empty but the Passcode field is pre-filled with the user's PIN. Nothing is logged in Authentication Manager 
3. The On-Demand Tokencode is sent to the user, in spite of the error 
4. The user fills in the User Name, clears the PIN and and fills in only the tokencode, following the usual ODA authentication mechanism.
5. Authentication fails again, the previous window pops up again (empty User Name, PIN filled in in the Passcode field). Authentication Manager log shows a failed authentication.
6. The user fills in his User Name and appends the previously received tokencode to the pre-filled PIN in the Passcode field.
7. Authentication succeeds This way of authenticating with ODA after the session times out is confusing for the user, because it's not the usual method. Therefore it has the potential to cause lots of help desk calls with our customer.

ResolutionDisabling the RSAResponseInterceptorModule resolves the issue. Refer to the document RSAWebAgent_AM.pdf in AM 8.1 extras ( page 4).
Integrating RSA Authentication Agent for Web with RSA Authentication Manager 8.1 Risk-Based/ On demand Authentication
Install the Agent for Web software, using the instructions provided with the software. 
The installer will prompt you for the sdconf.rec file that you created in the previous 
Note: After installation, manually disable the RSAResponseInterceptorModule in the 
modules list of the website. 
Important: When you make configuration changes to the IIS manager RSA config 
GUI, remove the RSAResponseInterceptorModule. 
Make the SecurID Logon Page File Writable 
The SecurID Logon Page file on the RSA Agent for Web is named 
useridandpasscode.htm. You must make useridandpasscode.htm writable before 
you can add the integration script because this file is read-only by default. 
You may install the agent in the location of your choosing. The following are the 
default locations for useridandpasscode.htm: 
• Windows: C:\Program Files\RSA Security\RSAWebAgent\templates 
Note: In case of an international locale, the useridandpasscode.htm file is also 
found in 
C:\Program Files\RSA Security\RSAWebAgent\templates\nls\en-securid. 
• UNIX: /usr/local/apache/rsawebagent/Templates 
Before you begin 
Backup useridandpasscode.htm. 
Make the SecurID Logon Page File Writable 
For Windows 
1. Right-click useridandpasscode.htm, and select Properties. 
2. Deselect Read-only, and click OK. 
1. From a command shell type 
chmod 644 useridandpasscode.htm 
2. Press Enter.