000012733 - Very slow Windows login on Agent 7.2.1 (Windows Password Intergration does not work)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012733
Applies ToRSA Authentication Agent Offline Local  Enables RSA Authentication Manager offline authentication.
7.2.1 build 28, 7.2.1 build 41 Local Authentication Agent, LAC, Authentication Agent Host
Windows 7, Windows 2008 R2, Windows Server, Windows agent, LAC version 7.2.1
Authentication Manager versions 6.1.2 through 8.1, AM 7.1 SP4 AM 8.0, AM 8.1
 
IssueSIDCredentialProvider(LogonUI).log
m_credState = CS_USER_PW_UNAVAILABLE_CHALLENDED_USER
2014-02-24 18:09:41.167 4904.3900 [I] [Helpers::parseNetbiosOrUpnName] wsLogonName = INTREPIDLS\jsolberg
2014-02-24 18:09:41.167 4904.3900 [V] [Helpers::parseNetbiosOrUpnName] Return
2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] samUsername: INTREPIDLS\jsolberg
2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: INTREPIDLS\jsolberg, Logon status: Logged on, Other user: False, DefaultCredential: False
2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: Other User, Logon status: , Other user: True, DefaultCredential: False
2014-02-24 18:09:41.183 4904.3900 [V] [Helpers::getMachineJoinedDomain] getMachineJoinedDomain() -- Failed to find default domain from Registry Key -- return the primary domain.
2014-02-24 18:09:41.885 4904.3900 [V] [RsaDesktopConfig::RsaDesktopConfig] Unable to open policy key "SOFTWARE\Policies\RSA\RSA Desktop\Common Settings", error = 0x2
2014-02-24 18:14:04.197 3476.4980 [E] [CredentialProviderFilterPolicy::buildFilterPolicyMap] Error trying to obtain subkeys
2014-02-24 19:05:53.346 2532.2064 [E] [AuthMechWrapper::authenticate] AuthMech getDomCredential failed to retrieve size: 0x17
2014-02-24 19:13:34.663 3028.3760 [E] [AuthMechWrapper::authenticate] AuthMech authenticate failed: 0x8
very slow Login, enter Passcode, then quick prompt for Windows Password, then 5 minutes until login finishes and can see desktop, if it does not timeout
trace.log
[3740] 11:35:29.983 File:loadbal.c Line:3077 # Enters get_response_segs()
[3740] 11:35:29.983 File:loadbal.c Line:3089 # get_response_segs() [0x04AB7FD0] OK2 cnt=2, ptr=4ab9834
[3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #0, type 8
[3740] 11:35:29.983 File:loadbal.c Line:3517 # get_response_segs() da download segment
[3740] 11:35:29.983 File:loadbal.c Line:3546 # TDB-store tokInterval and lenPIN in da_handle.
[3740] 11:35:29.983 File:loadbal.c Line:3581 # get_response_segs DA Download: disable on server
[3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #1, type 9
[3740] 11:35:29.983 File:loadbal.c Line:3645 # get_response_segs() login password segment
[3740] 11:35:29.983 File:loadbal.c Line:3662 # get_response_segs login password seg status: 2
[3740] 11:35:29.983 File:loadbal.c Line:3753 # Leaving get_response_segs()
[3740] 11:35:29.983 File:acutil.c Line:165 # SyncAPICallback(): curr=0x04AB7FD0 handle=0x433F552B - Set Event Result Code: 0
[2624] 11:35:29.983 File:newsd_api.c Line:348 # Leaving SD_Check() return(auth status): 0
[2624] 11:35:29.983 File:acexport.c Line:1501 # Entering AceGetDAAuthData()
[2624] 11:35:29.983 File:acexport.c Line:1647 # Leaving AceGetDAAuthData() return: ACE_SUCCESS
[2624] 11:35:29.983 File:acexport.c Line:1313 # Entering AceGetLoginPW()
[2624] 11:35:29.983 File:sddiskio.c Line:129 # enter get_node_secret
[2624] 11:35:29.983 File:sddiskio.c Line:133 # node secret returned from cache
[2624] 11:35:29.983 File:aceda_uti.c Line:45 # Leaving DoNodeSecretHash: Success
[2624] 11:35:29.983 File:acexport.c Line:1368 # Leaving AceGetLoginPW() return: ACE_SUCCESS

SIDAuthenticator(LoginUI).log
2014-02-24 19:35:27.924 3188.2624 [I] [LACAuthenticator::Authenticate] User is challenged
2014-02-24 19:35:27.971 3188.2624 [V] [CommonAuthenticator::initAceClient] SD_Init succeeded.
2014-02-24 19:35:27.971 3188.2624 [E] [CommonAuthenticator::isAutoRegistrationServiceInstalled] Unable to open auto registration service: error = 0x424
2014-02-24 19:35:29.983 3188.2624 [I] [CommonAuthenticator::getTokenSerialNumber] AceGetDAAuthData success: token serial number =
2014-02-24 19:37:34.629 3188.2624 [E] [CommonAuthenticator::setWindowsPassword] AceSetLogonPW failed: aceRet = 0x7d3
2014-02-24 19:37:34.629 3188.2624 [V] [CommonAuthenticator::setWindowsPassword] Return

ControlCenter(RSAControlCenter).log
[SecurIDPlugin - RefreshOfflineDaysPage::RefreshOfflineDaysPage] Enter
DAService(da_svc).log
DASvcDpsLink::establishConnection( dpsPort=5580, dpsAddress=bb020a0a ) starts. [File:da_svc_dpslink.cpp Line:154  Family:DA_SVC ]
2014-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected starts                         [File:da_svc_dpslink.cpp Line:400  Family:DA_SVC_API ]
2014-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected there is no connection returning false
UserChallengeStateInfo::UserChallengeStateInfo() - Failed getting the dayfile directory from the re registry
                                       [File:challengedinfoserializedhashmap.cpp Line:19  Family:DA_SVC ]
RequestDispatcher:RequestHandler error
DaSvcNetworkListener::SetupNotifications nla failed
DaSvcServiceMain() - The DisableDAServicePolicy indicates that the DA Service is enabled, delete the registry key which AuthAPI uses to disable the DA Service. [File:da_svc_main.cpp Line:117  Family:DPS ]
2014-02-24 19:05:18.834 1276.1320 [I] deleteDAuthDisableKey()- RegDeleteKey failed, error=2
DAServiceAPI(LoginUI).log
DaSvcConfig::init: dps port: 5580, dah port: 5580
DpsDL::getFixedBuffer - Failed IsRead check                 [File:dps_dl.cpp Line:568  Family:DPS ]
2014-02-21 20:52:11.700 3900.1164 [I] DaSvcAPIFactory::exception: Read timeout/failure.
DASvcApiLink::serverExchange receive failed. (2003)

 
CauseTCP Port 5580 is blocked and/or Offline Authentication not enabled on AM Server while Offline Authentication local service is running on the Agent
Windows Password Integration requires that the Offline authentication Service be enabled on the AM Server, if LAC offline service is running but AM Primary Policy has not enabled Offline Authentication then the LAC takes 5 minutes to login and Windows Password Integration does not work
 
ResolutionMay need latest 7.2.1 agent, build 41 as of Q1 2014, but also make sure TCP port 5580 is open from agent to Server, or disable the offline service on the agent (then your login will only take 30 seconds)
If you need Windows Password integration, then do not disable the offline Service local on the Windows Agent, leave it running but allow it to work by enabling Offline Authentication on the RSA Server under the Security Console - Authentication - Policies - Offline Policy.  Yes you heard correctly, if you need Windows Password Integration, you need to enable both Offline Authentication and Windows Password Integration in the AM Security console Policy.
 
NotesWith older service packs of Authentication Manager 6.1 , the Authentication Manager server may not release old connections to 5580 , and eventually will stop accepting new connections. This can be checked by using:
Windows
netstat -an | find "5580" 
UNIX/Linux
netstat -an | grep 5580  
Restarting the offline Authentication Daemon (on Windows) or all Services (on UNIX/Linux)  will release the connections as a workaround.  Update to 6.1.5 on all servers and Windows-based Remote Admin systems for a better fix.
 
Legacy Article IDa64280

Attachments

    Outcomes