000021760 - What are the Domain Authentication Server Agent and Client Agent services in RSA Authentication Manager?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021760
Applies ToRSA Authentication Manager 6.0
RSA Authentication Agent 6.0
Microsoft Windows 2000
Microsoft Windows Server 2003
IssueWhat are the Domain Authentication Server Agent and Client Agent services in RSA Authentication Manager?
ResolutionDomain Authentication Server Agent Services

The Domain Authentication Server Agent component utilizes several subcomponents to process information beyond the RSA ACE/Server authentications. They are:

- A Password Filter to capture any user password changes in the domain and update the user?s information stored in the RSA ACE/Server Database (if Windows Password Integration is enabled)

- A Sub-Auth service to handle user authentication to the RSA ACE/Server on behalf of the domain clients. The Sub-Auth service in turn utilizes the following components:

    - A Sub-Auth filter intercepts user access to domain resources and requests certificate verification from the Domain Authentication Client Agent (if valid, the user is granted access; if invalid, the user must authenticate or re-authenticate). The Sub-Auth filter is implemented with the Microsoft Sub-Auth API.

    - An Auth Proxy Service to handle authentication communication to the RSA ACE/Server. The Auth Proxy is implemented with SSL libraries and RSA?s authentication API.

- Session Certificate creation component. When a user logging on to a Domain Authentication Client host successfully authenticates, the Domain Authentication Server Agent creates a Session Certificate and sends it to the Domain Authentication Client host. If at a later time the user attempts to access a protected resource, the Domain Authentication Client can offer the Session Certificate as proof of authentication (rather than requiring the user to re-authenticate). However, if the Session Certificate has reached its expiration (an Agent parameter setting), then the user must re-authenticate.

Domain Authentication Client Agent Services

The Domain Authentication Client Agent contains an additional service that performs the following functions:

- It handles any post-logon requests from the Domain Authentication Server Agent for user credentials (valid Session Certificate)

- If a Session Certificate does not exist or is invalid, it initiates a new a new challenge interface to the user

Offline Authentication Services

Offline data management services exist as a part of the Local and Domain Agents. These services manage the creation and removal (clean-up) of Offline data files stored on the respective machines for users who log on and who are registered users in the RSA ACE/Server database. In addition, the Domain Authentication Server Agent Offline Authentication Service provides additional support for Domain Authentication Client Agent machines. It performs these additional functions:

- A Download Proxy service 'pushes' Offline Authentication data to Domain Authentication Client Agent machines, and a Log Upload Proxy service 'pulls' any Offline events from Domain Authentication Client Agent machines

- A Remote Offline Authentication Verification service allows the Domain Authentication Server Agent to verify an authentication that occurs through a Domain Authentication Client Agent. This is in the case where the RSA ACE/Server is in an Offline state and the Domain Authentication Client Agent is in contact with the Domain Authentication Server Agent.
Legacy Article IDa24866

Attachments

    Outcomes