000017741 - GPO causes Windows Software Token 4.1.1 application to prompt for a Device Password

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017741
Applies ToDevice Password not configured
Windows Software Token version 4.1.1 Win Soft Token v. 4.1.1
IssueGropup Policy Object (GPO) causing Windows Software Token 4.1.1 application to prompt for a Device Password when launched because Application unable to decrypt Token database
ACCESS DENIED to HKEYs in Registry when running procmon
CauseGroup Policy Object (GPO) called Domain - 'Domain'.com - Local service profile system - Policy Profile system performance : NT AUTHORITY\LOCAL SERVICE causes Windows Software Token 4.1.1 application to prompt for a Device Password

The Software Token Application uses Microsoft?s Data Protection API to help protect the token database. 

See http://msdn.microsoft.com/en-us/library/ms995355.aspx for details. 

There are two modes of protection offered by Microsoft, system or machine, and user. The user mode protection has a dependency on the user password. The default installation for the application chooses user mode protection as this provides the most secure configuration. There are deployments of the application in which user mode DPAPI may be in conflict with the desired behavior. For example, if a pre-login scenario is required where the token database must be accessed by some software before the user has logged in then the database cannot be accessed if protected with user mode DPAPI. In this scenario the Software Token application can be configured via a command line install in single database mode. This changes the location of the database to the All Users directory or equivalent for the variant of Microsoft OS, and changes the DPAPI protection to system mode which eliminates the dependency on the user password. 


RSA software token database is closely tied up with user profile and the database access will be machine specific. RSA software token database is encrypted and it is decrypted each time the application is launched by a user.

ResolutionEither do not use this Group Policy Object (GPO), or if possible Run as Administrator when launching 4.1.1 soft token
NotesSee A53148  for additional information
 
Legacy Article IDa62565

Attachments

    Outcomes