000032860 - Offline Days not Refreshing on Windows Authentication Agent for Authenticaiton Manager 8.1 SP1 or later versions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032860
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2.1[101]
Platform: Windows
O/S Version: 7 Professional (64 bit)
 
Issue

Offline Days not Refreshing on Windows Authentication Agent ver. 7.2.1[101] for Authenticaiton Manager 8.1 SP1 or later, with  Offline Days refresh fails with DaSvcProofDownloader::processDLTicket: receiver failed.  Problem may be intermittent, work-around may be to delete all offline days.
Engineering has been looking into various Offline Authentication, OA or Disconnected Authenticaiton, DA problems with the 7.2.1 Windows agent.   Invalid proof errors have been fixed in Agent build 101, version 7.2.1[101].
 
But if you see a whole lot of repeating upper case A’s in the imsTraceFile, this could be indicative of a bad or corrupt server.cer file on the agent.  The Server.cer file contains the public key used to encrypt traffic from the agent to the AM server, typically on TCP port 5580.  The exact symptom looks like this in the DAService(da_svc).log file on the Windows Agent with Verbose logging enabled:
 


.ServerList, INFO, myserver.domain.com,,,,Server list is:
|AAAAAgAAAABBNzBUQ1JQUEFDRTAxLmE3MGFkb20uYmNic3NjLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA. . . repeating As until end. . .
AAAA= Agent number of retries: 5
 Agent time-out between retries: 5
 Authentication port: 5500
 Authentication service: "securid"
2016-04-05 17:34:21,586, [AutoRegConnectionHandler2], (AutoRegSessionImpl.java:135),
trace.com.rsa.authmgr.internal.agentreg.msgprocessor.AutoRegSessionImpl,
INFO, myserver.domain.com,,,,SSL handshake fails:
javax.net.ssl.SSLException: MAC data does not match.

 


Essentiall a whole bunch of repeating AAAAAAAAAAA's

CauseCorrupt server.cer on Windows agent.
Resolution

Replace server.cer file on the Windows 7.2.1[101] agent.  It is located in:
  
C:/Program Files/RSA/RSA Authentication Agent/Agenthost Autoreg Utility/server.cer
 
Obtain a valid new copy from the Security Console - Access - Authentication Agents - Download Server Certificate File
DownloadServerCer.png
Download it.  It lists as 1kb in Windows File manager, but from the CMD prompt it should show around 637 bytes. There was a known issue with AM 7.1 where the certificate download tacks onto the end of the certificate an additional 52 KB of HTML with embedded Javascript. This has not been causing an issue with the Windows Agent 7.2 but is an issue for the newer Windows Agent 7.3, which uses TLSv1.2 as its SSL protocol.  Should be no problem with AM 8.1 SP1.
 
Replace the existing server.cer in the agent folder

C:/Program Files/RSA/RSA Authentication Agent/Agenthost Autoreg Utility/server.cer
You should only need to reboot to make the new certificate work
 
You may want to perform a few successful Test Authentications in the RSA Control Center to ensure the agent iw working, then test OA.

 

WorkaroundClear all offline days and then logon.

Attachments

    Outcomes