000033268 - Authentication method failed, passcode format error for all software tokens in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033268
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
  • In Authentication Manager 8.x and later, the following error is displayed for all software tokens, but hardware tokens and fixed passcodes work:
Authentication method failed, passcode format error

  • The passcode format error occurs with native SecurID agents, as well as RADIUS clients and their associated agents.
  • RSA SecuriD software tokens on user devices will fail to resynchronize in the Security Console.
Resync Token
 
CauseAn RSA administrator with the right to distribute software tokens can (re)distribute all assigned software tokens; thereby invalidating all currently assigned and working software tokens by regenerating their token with a different seed value.  This effectively makes all of the redistributed software tokens into new software tokens with the same serial number, which invalidates every software token until the new token is imported.
WARNINGS
  • In the screen shot below note that the following warning is issued:
Token selection criteria not specified.  All assigned tokens will be selected for issuance and that current software token users cannot authenticate until they update their tokens.  

  • If you click OK, another warning displays:
You will issue <number of software tokens> software tokens according to your selection criteria.  This job generates new token seeds for these tokens.  Existing users of these tokens will no longer be able to authenticate.  Users must import the new token data before they can authenticate.
 

Bulk distribution

Once the new token seed is issued, the Authentication Manager server will expect authentication requests to use the newly issued tokencode or passcode.  Since the old token is still installed on the end user's mobile device or desktop, when a tokencode or passcode is submitted from the device, authentication will fail.
Currently there is no simple or easy way to prevent this from happening.  There is currently an RFE in place (AM-30216) to change the bulk distribution of software tokens within Authentication Manager.
ResolutionThere is no rollback option in Authentication Manager if software tokens are redistributed.  The two options to resolve this issue if it happens in your deployment are as follows:
  • Either provide the new token seeds to the end users so they can import the new token to their device.
  • Alternatively, revert to a backup of your Authentication Manager system, or restore from Backup in the Operations Console. Restoring from a backup means losing some data that has changed since the backup was taken. Make absolutely sure you restore the correct backup, as the Operations Console will take whatever backup you point to and overwrite current system. May want to backup now of current system before restoring from backup as a safety measure.
Workaround

Recommendations


  • Before choosing the option to distribute software tokens in bulk, login to the Operations Console and select Maintenance > Backup and Restore > Backup Now to take a backup of the Authentication Manager database.  
  • As part of best practices for Authentication Manager, configure scheduled backups in the Operations Console (Maintenance > Backup and Restore > Schedule Backups) to backup the database on a regular schedule so that if this issue happens, it can be mitigated quickly.
NotesIn Authentication Manager 6.1 and earlier the token distribution process was called issuing software tokens.

Attachments

    Outcomes