000029974 - How to display exclusively SecurID tile on Windows logon prompt?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029974
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent
RSA Version/Condition: 7.2.1
Platform:Windows 7
Platform (Other): Windows 8
O/S Version: Windows 7
Product Name: RSA-0010010
Product Description: RSA Authentication Agent
IssueAdministrator would like the end user to see only one tile, the SecurID log on prompt. Administrator would like to remove the tile for "The Other User" from the log on screen.
TasksHow to enforce SecurID logon on Windows 7 machine?
How to display exclusively SecurID tile on Windows logon prompt?
How to remove all other user tiles on a SecurID protected Windows machine?
The “Other User” option that is being presented on the screen can be chosen, and only network logon credentials are required at this access point, completely circumventing the 2-FA requirement.
Authentication using 2FA is successful from local machine
The display of previously logged on user tiles behavior on SecurID protected Windows machines can be managed by Credential Provider configuration.
ResolutionNavigate to Start --- > Run --- >. "gpedit.msc" > Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > RSA Desktop > Credential Provider Filter Settings
This can be accomplished by enabling the exclusion on third-party credential providers. You can leave all the rest of credential providers as not configured which is a default setting.
Exclude the Microsoft Password Credential Provider =Not configured
Exclude the RSA Credential Provider for disconnect auth =Not configured
Exclude the RSA Smart Card Credential Provider =Not configured
Exclude the Third-party Credential Providers = Enabled
 
The above settings will present only SecurID tile and remove the "Other user" tile.
There is another way to accomplish the same results.
Change the credential provider settings using gpedit.msc
1.    Start --- > Run --- > gpedit.msc
2.    Expand Administrative templates 
3.    Expand Classic Administrative templates
4.    RSA Desktop --- > Credential provider Filter Settings:
The following 4 changes have been made:
        Exclude the Microsoft Password Credential Provider =Enabled
        Exclude the RSA Credential Provider for disconnect auth =Disabled
        Exclude the RSA Smart Card Credential Provider =Disabled
                Exclude the Third-party Credential Providers = Enabled
5.    Command line prompt: gpupdate /force
6.    Log off and log back.
                 User will notice only one icon with SecurID logo and must authenticate with SecurID credentials.

Attachments

    Outcomes