000015015 - MMC Snap-in Troubleshooting Guide

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015015
Applies ToRSA Authentication Manager 7.1
MMC Snap-in
IssueSymptom1: User is prompted for Microsoft credentials when clicking Manage SecurID Token(s)
Symptom2: System Error is displayed when clicking Manage SecurID Token(s) and user null is present on the screen
Symptom3: You are prompted with a Security Console Login screen when clicking Manage SecurID Token(s)
Symptom4: Continuously prompted for credentials
Symptom5: Continuously prompted for credentials
CauseCause1:The setting in Internet Explorer for "Automatic Logon with current username and password" Is not enabled for the given zone.
Cause2: The Domain controller's name in Active Directory and Computers is different than the hostname defined in the Operations-Console.
Cause3: The URL entered during the MMC Snap-in installation had the suffix of /console-ims instead of /console-am
Cause4: DNS must be able to resolve the domain suffix
Cause5: Internet Explorer security settings are set to medium low in Internet Explorer 8
ResolutionFix1: Either Add the AM host to the "Intranet Zone" and under custom level choose "Automatic logon only in Intranet Zone"
or
Add the AM Host to the "Trusted Sites Zone" and make sure that "Automatic Logon with current username and password" is enabled under custom level for the Trusted Sites Zone.
Fix2:  Make sure that the DC's fully qualified hostname is what is used in the Identity Source definition in the Operations Console.
Fix3: Reinstall the MMC Snap-in and input the correct URL
Fix4: Nslookup domain.com (where domain.com is the suffix for the domain controller)
Fix5: Works if settings are set to low (currently working to identify the minimal settings that need to be modified)
NotesOther General setup reminders:
The user that "installs" the MMC snap-in must be a member of BOTH the Domain Admins group, AND the local Administrators group.
The user you are logged into your workstation as, that is launching "Active Directory Users and Computers" must be contained within the scope of the Authentication Manager defined Identity source you are attempting to manage.
The user you are logged into your workstation as, that is launching "Active Directory Users and Computers" must be assigned an Administrative Role within Authentication Manager which has permission to assign tokens.

It may be possible that if you wanted to run the MMC snap-in as a different user, that you could disable the "Automatic Logon" setting with Internet Explorer however you would be prompted frequently to authenticate."


IEinspector HTTPAnalyzer (http://www.ieinspector.com/httpanalyzer/) is a good utility to view the DC name that the MMC snap-in is passing over https to Authentication Manager.

Legacy Article IDa44275

Attachments

    Outcomes