000033179 - Node secret issues after setting up RSA SecurID Authentication Agent 8.0 for Web for Internet Information Services (IIS)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 24, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033179
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent 8.0 Web for IIS
RSA Version/Condition: 8.0
IssueThe agent is having the following issues completing a successful authentication:
  1. The node secret is not bring created.
  2. Test authentication fails after setting up the agent.
  3. After protecting the website/OWA through the agent, the test authentication fails from the website/OWA .
  4. On the RSA Authentication Manager, the Authentication Activity Monitor shows the following error:

Node secret mismatch: Cleared on the agent but not on the server
Cause
The items above are due to a permissions issue on the Windows server where the web agent is installed.
Resolution
  1. Login to the Windows Server as a local administrator where the web agent is installed.
  2. Disable User Account Control (UAC) settings.
    1. On the taskbar click Start.
    2. In the search field, type Change User Account Control settings.
    3. Click Open Change User Account Control settings.
    4. Pull the bar down to the bottom so the options for Never notify me when is set to Programs try to install software or make changes to my computer.
    5. Click OK.

UAC



  1. Disable the Windows firewall.
  2. Disable antivirus software, if enabled with IPS/IDS or Enabled with Enhanced Security.
  3. On the Control Panel, select and right click on the RSA Authentication Agent icon andchoose  run as administrator.
  4. On the Advanced tab, set the IP Address Override. Change the default IP of 255.255.255.255 to the IP address of the Windows server where the RSA web agent is installed.

IP Address Override


  1. Go back to the Main tab and do the test authentication from the RSA web agent by clicking Test Authentication with RSA Authentication Manager.

Test Authentication


  1. The node secret will be sent from the RSA Authentication Manager to the web agent on the first successful authentication. 

Node Secret Sent

Look for the file named securid (with no file extension) in C:\Program Files\RSA Security\RSAWebAgent.



Node Secret Created


  1. While the node secret file is sent to the agent on the first authentication attempt, it is not used until subsequent authentications.  To make sure the node secret is working correctly, repeat the test authentication four or five more times.
  2. Open a command prompt and run an iisreset.
  3. Do the test authentication from the protected website/OWA. 
    1.  If the test authentication from the protected website/OWA fails with the message below, check the node secret location on the IIS which the agent is protecting.  This error happens because the protected website/OWA is looking for the node secret file in an incorrect location or where the file does not exist.

Node secret mismatch: Cleared on the agent but not on the server


  1.  Copy the sdconf.rec, sdstatus.12 and securid files from C:\Program Files\RSA Security\RSAWebAgent to C:\Program Files (x86)\RSA Security\RSAWebAgent.

From Program Files Location 
 


To Program Files (x86) location


  1. Launch a command prompt and run iisreset.
  2. Now the test authentication will be successful from the protected website/OWA.

Attachments

    Outcomes