on Jun 14, 2016Article Content
| Article Number | 000012733 |
| Applies To | RSA Authentication Agent Offline Local Enables RSA Authentication Manager offline authentication. 7.2.1 build 28, 7.2.1 build 41 Local Authentication Agent, LAC, Authentication Agent Host Windows 7, Windows 2008 R2, Windows Server, Windows agent, LAC version 7.2.1 Authentication Manager versions 6.1.2 through 8.1, AM 7.1 SP4 AM 8.0, AM 8.1 |
| Issue | SIDCredentialProvider(LogonUI).log m_credState = CS_USER_PW_UNAVAILABLE_CHALLENDED_USER 2014-02-24 18:09:41.167 4904.3900 [I] [Helpers::parseNetbiosOrUpnName] wsLogonName = INTREPIDLS\jsolberg 2014-02-24 18:09:41.167 4904.3900 [V] [Helpers::parseNetbiosOrUpnName] Return 2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] samUsername: INTREPIDLS\jsolberg 2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: INTREPIDLS\jsolberg, Logon status: Logged on, Other user: False, DefaultCredential: False 2014-02-24 18:09:41.167 4904.3900 [I] [Provider::getCredentialProviderUsers_PreWindows8] Adding user: Other User, Logon status: , Other user: True, DefaultCredential: False 2014-02-24 18:09:41.183 4904.3900 [V] [Helpers::getMachineJoinedDomain] getMachineJoinedDomain() -- Failed to find default domain from Registry Key -- return the primary domain. 2014-02-24 18:09:41.885 4904.3900 [V] [RsaDesktopConfig::RsaDesktopConfig] Unable to open policy key "SOFTWARE\Policies\RSA\RSA Desktop\Common Settings", error = 0x2 2014-02-24 18:14:04.197 3476.4980 [E] [CredentialProviderFilterPolicy::buildFilterPolicyMap] Error trying to obtain subkeys 2014-02-24 19:05:53.346 2532.2064 [E] [AuthMechWrapper::authenticate] AuthMech getDomCredential failed to retrieve size: 0x17 2014-02-24 19:13:34.663 3028.3760 [E] [AuthMechWrapper::authenticate] AuthMech authenticate failed: 0x8 very slow Login, enter Passcode, then quick prompt for Windows Password, then 5 minutes until login finishes and can see desktop, if it does not timeout trace.log [3740] 11:35:29.983 File:loadbal.c Line:3077 # Enters get_response_segs() [3740] 11:35:29.983 File:loadbal.c Line:3089 # get_response_segs() [0x04AB7FD0] OK2 cnt=2, ptr=4ab9834 [3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #0, type 8 [3740] 11:35:29.983 File:loadbal.c Line:3517 # get_response_segs() da download segment [3740] 11:35:29.983 File:loadbal.c Line:3546 # TDB-store tokInterval and lenPIN in da_handle. [3740] 11:35:29.983 File:loadbal.c Line:3581 # get_response_segs DA Download: disable on server [3740] 11:35:29.983 File:loadbal.c Line:3113 # get_response_segs(): processing segment #1, type 9 [3740] 11:35:29.983 File:loadbal.c Line:3645 # get_response_segs() login password segment [3740] 11:35:29.983 File:loadbal.c Line:3662 # get_response_segs login password seg status: 2 [3740] 11:35:29.983 File:loadbal.c Line:3753 # Leaving get_response_segs() [3740] 11:35:29.983 File:acutil.c Line:165 # SyncAPICallback(): curr=0x04AB7FD0 handle=0x433F552B - Set Event Result Code: 0 [2624] 11:35:29.983 File:newsd_api.c Line:348 # Leaving SD_Check() return(auth status): 0 [2624] 11:35:29.983 File:acexport.c Line:1501 # Entering AceGetDAAuthData() [2624] 11:35:29.983 File:acexport.c Line:1647 # Leaving AceGetDAAuthData() return: ACE_SUCCESS [2624] 11:35:29.983 File:acexport.c Line:1313 # Entering AceGetLoginPW() [2624] 11:35:29.983 File:sddiskio.c Line:129 # enter get_node_secret [2624] 11:35:29.983 File:sddiskio.c Line:133 # node secret returned from cache [2624] 11:35:29.983 File:aceda_uti.c Line:45 # Leaving DoNodeSecretHash: Success [2624] 11:35:29.983 File:acexport.c Line:1368 # Leaving AceGetLoginPW() return: ACE_SUCCESS SIDAuthenticator(LoginUI).log 2014-02-24 19:35:27.924 3188.2624 [I] [LACAuthenticator::Authenticate] User is challenged 2014-02-24 19:35:27.971 3188.2624 [V] [CommonAuthenticator::initAceClient] SD_Init succeeded. 2014-02-24 19:35:27.971 3188.2624 [E] [CommonAuthenticator::isAutoRegistrationServiceInstalled] Unable to open auto registration service: error = 0x424 2014-02-24 19:35:29.983 3188.2624 [I] [CommonAuthenticator::getTokenSerialNumber] AceGetDAAuthData success: token serial number = 2014-02-24 19:37:34.629 3188.2624 [E] [CommonAuthenticator::setWindowsPassword] AceSetLogonPW failed: aceRet = 0x7d3 2014-02-24 19:37:34.629 3188.2624 [V] [CommonAuthenticator::setWindowsPassword] Return ControlCenter(RSAControlCenter).log [SecurIDPlugin - RefreshOfflineDaysPage::RefreshOfflineDaysPage] Enter DAService(da_svc).log DASvcDpsLink::establishConnection( dpsPort=5580, dpsAddress=bb020a0a ) starts. [File:da_svc_dpslink.cpp Line:154 Family:DA_SVC ] 2014-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected starts [File:da_svc_dpslink.cpp Line:400 Family:DA_SVC_API ] 2014-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected there is no connection returning false UserChallengeStateInfo::UserChallengeStateInfo() - Failed getting the dayfile directory from the re registry [File:challengedinfoserializedhashmap.cpp Line:19 Family:DA_SVC ] RequestDispatcher:RequestHandler error DaSvcNetworkListener::SetupNotifications nla failed DaSvcServiceMain() - The DisableDAServicePolicy indicates that the DA Service is enabled, delete the registry key which AuthAPI uses to disable the DA Service. [File:da_svc_main.cpp Line:117 Family:DPS ] 2014-02-24 19:05:18.834 1276.1320 [I] deleteDAuthDisableKey()- RegDeleteKey failed, error=2 DAServiceAPI(LoginUI).log DaSvcConfig::init: dps port: 5580, dah port: 5580 DpsDL::getFixedBuffer - Failed IsRead check [File:dps_dl.cpp Line:568 Family:DPS ] 2014-02-21 20:52:11.700 3900.1164 [I] DaSvcAPIFactory::exception: Read timeout/failure. DASvcApiLink::serverExchange receive failed. (2003) |
| Cause | TCP Port 5580 is blocked and/or Offline Authentication not enabled on AM Server while Offline Authentication local service is running on the Agent Windows Password Integration requires that the Offline authentication Service be enabled on the AM Server, if LAC offline service is running but AM Primary Policy has not enabled Offline Authentication then the LAC takes 5 minutes to login and Windows Password Integration does not work |
| Resolution | May need latest 7.2.1 agent, build 41 as of Q1 2014, but also make sure TCP port 5580 is open from agent to Server, or disable the offline service on the agent (then your login will only take 30 seconds) If you need Windows Password integration, then do not disable the offline Service local on the Windows Agent, leave it running but allow it to work by enabling Offline Authentication on the RSA Server under the Security Console - Authentication - Policies - Offline Policy. Yes you heard correctly, if you need Windows Password Integration, you need to enable both Offline Authentication and Windows Password Integration in the AM Security console Policy. |
| Notes | With older service packs of Authentication Manager 6.1 , the Authentication Manager server may not release old connections to 5580 , and eventually will stop accepting new connections. This can be checked by using: Windows netstat -an | find "5580" UNIX/Linux netstat -an | grep 5580 Restarting the offline Authentication Daemon (on Windows) or all Services (on UNIX/Linux) will release the connections as a workaround. Update to 6.1.5 on all servers and Windows-based Remote Admin systems for a better fix. |
| Legacy Article ID | a64280 |