|Applies To||RSA Authentication Manager 6.0|
RSA Authentication Agent 6.0
Microsoft Windows 2000
Microsoft Windows Server 2003
|Issue||What are the Domain Authentication Server Agent and Client Agent services in RSA Authentication Manager?|
|Resolution||Domain Authentication Server Agent Services|
The Domain Authentication Server Agent component utilizes several subcomponents to process information beyond the RSA ACE/Server authentications. They are:
- A Password Filter to capture any user password changes in the domain and update the user?s information stored in the RSA ACE/Server Database (if Windows Password Integration is enabled)
- A Sub-Auth service to handle user authentication to the RSA ACE/Server on behalf of the domain clients. The Sub-Auth service in turn utilizes the following components:
- A Sub-Auth filter intercepts user access to domain resources and requests certificate verification from the Domain Authentication Client Agent (if valid, the user is granted access; if invalid, the user must authenticate or re-authenticate). The Sub-Auth filter is implemented with the Microsoft Sub-Auth API.
- An Auth Proxy Service to handle authentication communication to the RSA ACE/Server. The Auth Proxy is implemented with SSL libraries and RSA?s authentication API.
- Session Certificate creation component. When a user logging on to a Domain Authentication Client host successfully authenticates, the Domain Authentication Server Agent creates a Session Certificate and sends it to the Domain Authentication Client host. If at a later time the user attempts to access a protected resource, the Domain Authentication Client can offer the Session Certificate as proof of authentication (rather than requiring the user to re-authenticate). However, if the Session Certificate has reached its expiration (an Agent parameter setting), then the user must re-authenticate.
Domain Authentication Client Agent Services
The Domain Authentication Client Agent contains an additional service that performs the following functions:
- It handles any post-logon requests from the Domain Authentication Server Agent for user credentials (valid Session Certificate)
- If a Session Certificate does not exist or is invalid, it initiates a new a new challenge interface to the user
Offline Authentication Services
Offline data management services exist as a part of the Local and Domain Agents. These services manage the creation and removal (clean-up) of Offline data files stored on the respective machines for users who log on and who are registered users in the RSA ACE/Server database. In addition, the Domain Authentication Server Agent Offline Authentication Service provides additional support for Domain Authentication Client Agent machines. It performs these additional functions:
- A Download Proxy service 'pushes' Offline Authentication data to Domain Authentication Client Agent machines, and a Log Upload Proxy service 'pulls' any Offline events from Domain Authentication Client Agent machines
- A Remote Offline Authentication Verification service allows the Domain Authentication Server Agent to verify an authentication that occurs through a Domain Authentication Client Agent. This is in the case where the RSA ACE/Server is in an Offline state and the Domain Authentication Client Agent is in contact with the Domain Authentication Server Agent.
|Legacy Article ID||a24866|