000022348 - Users repeatedly asked for passcode in RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022348
Applies ToRSA Authentication Manager 6.1
Microsoft Exchange Server
Microsoft Outlook Web Access (OWA)
session certificate time-out parameter
IssueUsers repeatedly asked for passcode in RSA Authentication Manager
Users locked out of domain
ResolutionSetting the session certificate timeout parameter in RSA Authentication Manager should determine when users' authentication sessions expire and, therefore, when users are reprompted for RSA SecurID passcodes. You can set the session certificate expiration time from 5 minutes to 1,440 minutes (one day); the default expiration for the session certificate is 5 minutes. However, for some operations, the Kerberos renewal ticket, one of the Microsoft domain settings, overrides the session certificate. Therefore, users are reprompted for passcodes when the Kerberos renewal ticket expires and not when the session certificate expires. The default expiration time for the Kerberos renewal ticket is 10 hours. Please see Microsoft's documentation on setting the Kerberos renewal ticket.
Legacy Article IDa28039