000021749 - Understanding dataflow and communications between Local Agent and RSA ACE/Server 6.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021749
Applies ToRSA Authentication Manager 6.0
RSA Authentication Agent 6.0
Microsoft Windows 2000
Microsoft Windows Server 2003
IssueUnderstanding dataflow and communications between Local Agent and RSA ACE/Server 6.0
ResolutionLogon through a Local Agent when online
When a Local Agent is on line (in contact with an RSA ACE/Server host), the following processes occur:
1. At logon, the user is prompted for their Windows user name and passcode (action of the RSA Acegina.dll on the local workstation). If the user is RSA SecurID-enabled, they will enter an RSA SecurID passcode; if the user is not an RSA SecurID user, they will enter their Windows password. The Agent?s last available Offline code is also submitted so that the Server can allow a request for additional files to be processed, if needed (in accordance with the current Server policy settings).
2. If the user is to be RSA SecurID authenticated (by group affiliation or ?Challenge All? selected), the Agent sends the credentials to the RSA ACE/Server authentication service for validation (encrypted by the Node Secret).
3. If valid, the Server responds and provides Windows credentials (if enabled). The response is also encrypted.
4. If additional Offline files are needed, the Agent makes a request of the Server?s Offline Service
5. The Offline Service supplies the appropriate Offline files to the Agent Host. The transmission is secured by encrypting with the Agent?s Node Secret and stored files on the Agent Host machine are encrypted, as well.
Logon through a Local Agent when offline
When a Local Agent is off line (disconnected from an RSA ACE/Server host), the following processes occur:
1. At logon, the user is prompted for their Windows user name and passcode (action of the RSA Acegina.dll on the local workstation). If the user is RSA SecurID-enabled, they will enter an RSA SecurID passcode; if the user is not an RSA SecurID user, they will enter their Windows password.
2. If the user is to be RSA SecurID authenticated (group affiliation or ?Challenge All?), the Agent attempts to send the credentials to the RSA ACE/Server authentication service
3. After the communication times out (it may need to exhaust a time out period to several Servers if Replica Servers are part of the realm), the Agent looks to its local Offline data store to verify the user?s passcode. If the passcode is valid, the user is granted access and the event is logged in the local temporary log.
4. The next time that the Agent Host is connected (on-line) with the RSA ACE/Server host, it indicates that it has log information to upload to the Server. At the next opportunity, the Offline Service at the server uploads the Agent?s logged data (transmission encrypted by the Agent?s Node Secret). Events logged locally on the Agent and uploaded to the Server become part of the Server?s activity log.
Additional information
Understanding data flow and communications between a Domain Agent and RSA ACE/Server 6.0
Legacy Article IDa24864

Attachments

    Outcomes