000012733 - Slow Windows login; Windows Password Integration (WPI) does not work for RSA Authentication Agent 7.3.3 for Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 7, 2020
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000012733
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent
RSA Version/Condition: 7.3.3, 7.4.2, 7.4.3
 
Issue

The main symptom is a very slow login through the RSA Authentication Agent 7.3.3 and 7.4.x for Windows.  It takes a long time for the Windows desktop to appear after the user enters their passcode.  Optionally, they next enter their Windows password when prompted, if Windows Password is not enabled.  Then it can still take up to five minutes until login finishes and the user can see the desktop.  Sometimes the logon will timeout and return the user back to the passcode prompt.

If Windows agent verbose logging is enabled, you will see many of the following symptoms in the various logs.




SIDCredentialProvider(LogonUI).log 



m_credState = CS_USER_PW_UNAVAILABLE_CHALLENGED_USER

2014-02-24 18:09:41.167 4904.3900 [I] [Helpers::parseNetbiosOrUpnName] wsLogonName = <domain>\<user ID>
2014-02-24 18:09:41.167 4904.3900 [V] [Helpers::parseNetbiosOrUpnName] Return
2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] samUsername: <domain>\<user ID>
2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: <domain>\<user ID>, Logon status: Logged on, Other user: False, DefaultCredential: False

2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: Other User, Logon status: , Other user: True, DefaultCredential: False

2014-02-24 18:09:41.183 4904.3900 [V] [Helpers::getMachineJoinedDomain] getMachineJoinedDomain() -- Failed to find default domain from Registry Key -- return the primary domain.

2014-02-24 18:09:41.885 4904.3900 [V] [RsaDesktopConfig::RsaDesktopConfig] Unable to open policy key "SOFTWARE\Policies\RSA\RSA Desktop\Common Settings", error = 0x2
2014-02-24 18:14:04.197 3476.4980 [E] [CredentialProviderFilterPolicy::buildFilterPolicyMap] Error trying to obtain subkeys

2014-02-24 19:05:53.346 2532.2064 [E] [AuthMechWrapper::authenticate] AuthMech getDomCredential failed to retrieve size: 0x17

2019-02-24 19:13:34.663 3028.3760 [E] [AuthMechWrapper::authenticate] AuthMech authenticate failed: 0x8

 

/opt/rsa/am/server/imsTrace.log 



[3740] 11:35:29.983 File:loadbal.c Line:3077 # Enters get_response_segs()
[3740] 11:35:29.983 File:loadbal.c Line:3089 # get_response_segs() [0x04AB7FD0] OK2 cnt=2, ptr=4ab9834
[3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #0, type 8
[3740] 11:35:29.983 File:loadbal.c Line:3517 # get_response_segs() da download segment
[3740] 11:35:29.983 File:loadbal.c Line:3546 # TDB-store tokInterval and lenPIN in da_handle.
[3740] 11:35:29.983 File:loadbal.c Line:3581 # get_response_segs DA Download: disable on server
[3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #1, type 9
[3740] 11:35:29.983 File:loadbal.c Line:3645 # get_response_segs() login password segment
[3740] 11:35:29.983 File:loadbal.c Line:3662 # get_response_segs login password seg status: 2
[3740] 11:35:29.983 File:loadbal.c Line:3753 # Leaving get_response_segs()
[3740] 11:35:29.983 File:acutil.c Line:165 # SyncAPICallback(): curr=0x04AB7FD0 handle=0x433F552B - Set Event Result Code: 0
[2624] 11:35:29.983 File:newsd_api.c Line:348 # Leaving SD_Check() return(auth status): 0
[2624] 11:35:29.983 File:acexport.c Line:1501 # Entering AceGetDAAuthData()
[2624] 11:35:29.983 File:acexport.c Line:1647 # Leaving AceGetDAAuthData() return: ACE_SUCCESS
[2624] 11:35:29.983 File:acexport.c Line:1313 # Entering AceGetLoginPW()
[2624] 11:35:29.983 File:sddiskio.c Line:129 # enter get_node_secret
[2624] 11:35:29.983 File:sddiskio.c Line:133 # node secret returned from cache
[2624] 11:35:29.983 File:aceda_uti.c Line:45 # Leaving DoNodeSecretHash: Success
[2624] 11:35:29.983 File:acexport.c Line:1368 # Leaving AceGetLoginPW() return: ACE_SUCCESS


 




C:\ProgramData\RSA\LogFiles\SIDAuthenticator(LoginUI).log



2019-02-24 19:35:27.924 3188.2624 [I] [LACAuthenticator::Authenticate] User is challenged
2019-02-24 19:35:27.971 3188.2624 [V] [CommonAuthenticator::initAceClient] SD_Init succeeded.
2019-02-24 19:35:27.971 3188.2624 [E] [CommonAuthenticator::isAutoRegistrationServiceInstalled] Unable to open auto registration service: error = 0x424
2019-02-24 19:35:29.983 3188.2624 [I] [CommonAuthenticator::getTokenSerialNumber] AceGetDAAuthData success: token serial number =
2019-02-24 19:37:34.629 3188.2624 [E] [CommonAuthenticator::setWindowsPassword] AceSetLogonPW failed: aceRet = 0x7d3
2019-02-24 19:37:34.629 3188.2624 [V] [CommonAuthenticator::setWindowsPassword] Return
 



C:\ProgramData\RSA\LogFiles\DAService(da_svc).log



DASvcDpsLink::establishConnection( dpsPort=5580, dpsAddress=bb020a0a ) starts. [File:da_svc_dpslink.cpp Line:154  Family:DA_SVC ]
2019-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected starts                         [File:da_svc_dpslink.cpp Line:400  Family:DA_SVC_API ]
2019-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected there is no connection returning false
UserChallengeStateInfo::UserChallengeStateInfo() - Failed getting the dayfile directory from the re registry
                                       [File:challengedinfoserializedhashmap.cpp Line:19  Family:DA_SVC ]
RequestDispatcher:RequestHandler error
DaSvcNetworkListener::SetupNotifications nla failed
DaSvcServiceMain() - The DisableDAServicePolicy indicates that the DA Service is enabled, delete the registry key which AuthAPI uses to disable the DA Service. [File:da_svc_main.cpp Line:117  Family:DPS ]
2019-02-24 19:05:18.834 1276.1320 [I] deleteDAuthDisableKey()- RegDeleteKey failed, error=2


 



C:\ProgramData\RSA\LogFiles\DAServiceAPI(LoginUI).log



DaSvcConfig::init: dps port: 5580, dah port: 5580
DpsDL::getFixedBuffer - Failed IsRead check                 [File:dps_dl.cpp Line:568  Family:DPS ]
2019-02-21 20:52:11.700 3900.1164 [I] DaSvcAPIFactory::exception: Read timeout/failure.
DASvcApiLink::serverExchange receive failed. (2003)
CauseThis behavior occurs when:
  • TCP port 5580 is blocked and/or Offline Authentication is not enabled on the RSA Authentication Manager server while the Offline Authentication local service is running on the Windows agent.
  • Windows Password Integration (WPI) requires that the offline authentication service be enabled on the RSA Authentication Manager server.  If the agent's offline service is running, but Authentication Manager primary policy has not enabled Offline Authentication, then the agent takes five minutes to login and Windows Password Integration does not work
ResolutionYou may need to install the latest RSA Authentication Agent 7.3.3 build 99 from 2018 or later, but also make sure TCP port 5580 is open from the agent to the server, or disable the offline service on the agent.  Login time will then take only 30 seconds.

If you need Windows Password Integration, do not disable the offline service local on the Windows agent.  Leave it running but allow it to work by enabling Offline Authentication on the primary Authentication Manager server by logging into the Security Console and navigating to Authentication > Policies > Offline Policy.  If you need Windows Password Integration, you need to enable both Offline Authentication and Windows Password Integration in Authentication Manager.
WorkaroundAs a workaround, disable Windows Password Integration, offline days and the Windows local offline authentication service to prevent the agent from attempting to contact the Authentication Manager server on port 5580.
Legacy Article IDa64280

Attachments

    Outcomes