000033269 - Immediate Next Token Code (NTC) error received for some user logins in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033269
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
O/S Version: ESXi 5.0
 
Issue

Some users receiving errors when attempting to login and they are asked immediately to wait for the next token code. 
Log Level: INFO
Action ID: 23021
Activity Key: Next tokencode mode activated for token
Description: Next tokencode mode activated for token serial number “0001418xxxxx” assigned to user “xxxxx” in security domain “SystemDomain” from “xxxx AD” identity source

Cause

Time on Primary and Replica is different.
Above log also has a field 
Instance Name: <primary> vs. <replica(s)>
look at authentication activity over a period of time, may see something like
5/18/2016  4:29:26 PM AUTHN_METHOD_SUCCESS <replica>
5/19/2016  7:32:07 AM Next tokencode mode activated for token <primary>
Where success followed immediately by NTC, so this is not a failure related NTC

Resolution

Fix time, specifically time source on Primary and all replicas.

Workaround

Run ./rsautil sync-tokens -I to clear NTC and lockouts, but this is only a patch. If the Primary and replica times are more than 2 minutes apart, this problem will keep happening whenever a user authenticates against one then the other.

Notes

See also KB 000027095 - Explanation of Next Token Code Mode and Small Medium and Large Windows in SecurID Authentication

Attachments

    Outcomes