000023213 - Authentication fails for an ACE/Agent connecting to an ACE/Server through a firewall

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023213
Applies ToRSA ACE/Server
Legacy RSA ACE/Agent (pre-version 5.0)
Firewall
sdconf.rec
IssueAuthentication fails for an ACE/Agent connecting to an ACE/Server through a firewall
NT event log message on the agent: Signature violation:MAC
CauseA firewall has changed the UDP source port number of the authentication packet which the agent subsequently rejects.
ResolutionSince the release of ACE/Server 2.3 (and its associated Agent/Server protocol for authentication packets) a Message Authentication Code (MAC) is used between the ACE/Server and the ACE/Agent to verify that the reply for a particular authentication has come from the correct ACE/Server.  In performing this MAC check the source UDP port number is used.

The sequence with a direct connection would be the following:

        ACE/Agent sends an authentication to the ACE/Server.
        ACE/Server notices which UDP port number the ACE/Agent used and (with some other data known uniquely to  ACE/Server and Agent) creates a MAC signature.
        ACE/Server sends response to the ACE/Agent and includes the MAC signature.
        ACE/Agent receives the data packet, creates its own MAC signature and compares it with the signature in the packet to ensure they are the same.

In certain conditions where a firewall is being used, the firewall will receive the packet from the ACE/Agent, then when sending onward to the ACE/Server use its own generated UDP port number.  When the ACE/Server responds and generates the MAC check, it will use the UDP port number of the firewall, not the original ACE/Agent.

When the response packet is received by the ACE/Agent, it compares the MAC in the received packet against one it generates for itself and will find that it is wrong - hence the error message.

There are two possible courses of action:

RSA Security strongly recommends upgrading both ACE/Agent and ACE/Server to version 5.0 and higher.  The protocol has been changed to resolve this problem, but the requirement is that the ACE/Agent that is used must be a version 5.0 agent.

In circumstances where it is not possible to perform such an upgrade, a utility has been made available to lower the protocol to 'pre-ACE/Server 2.3'.

WARNING:  USE OF THE UTILITY DOWNGRADES THE STRENGTH OF YOUR SECURITY.  IT CAN ALLOW AN UNOFFICIAL ACE/SERVER RESPONSE TO BE SENT TO YOUR ACE/AGENT.  IT SHOULD ONLY BE USED WHERE AN UPGRADE IS NOT POSSIBLE.

The utility, which runs on an NT or W2K machine, will allow you to convert an sdconf.rec file for a 4.1 system into an earlier version, this converted file will then be placed on the ACE/Agent beyond the firewall. Where ACE/Server 5.0 is already being used, the sdconf.rec file that must be converted is the one that the ACE/Server has produced for the legacy agent.

This utility is available for download, in a password protected ZIP file.  The password to unlock the ZIP file is Pj4c8n7T5, the file can be downloaded from SecurCare Online.
Legacy Article IDa2491

Attachments

    Outcomes