000016497 - Agent 7.X for IIS 7.5 on Windows 2008 for SecurID: AUTHN_METHOD_FAILED when trying to authenticate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016497
Applies To-Real time authentication monitor shows "AUTHN_METHOD_FAILED
-All network connectivity has been verified, including name resolution
-The machine is not dual/multi homed
-The ip address being sent per the real time monitor is correct
-There are no firewalls between the servers
-the node secret (securid) file is not being recieved by the IIS server
-agent is set up properly in the security console of the AM server
IssueAgent 7.X for IIS 7.5 on Windows 2008r2 for SecurID: AUTHN_METHOD_FAILED when trying to authenticate
CauseWhile this is not the only cause of AUTHN_METHOD_FAILED, pay particular attention to the setting of DEP on windows server 2008. When DEP is set system wide for all programs, this can will prevent the the windows server from accepting the securid file (node secret), which the server by default pushes over on the first authentication request.  Without the node secret, the authentication request will be denied, even when the credentials are valid.
ResolutionTo test to see if this is the root cause of the node secret not being received by the IIS server agent, disable DEP using one of the two methods below:

Via gui:

Go to Start, right click on Computer and finally click on Properties. Now in the System window click on Advanced System Settings.
In the System Properties Windows, under Performance click Settings
In the Performance Options windows, navigate to Data Execution Prevention tab and select the second option ?Turn on DEP for all programs and services except those I select"

Via the command line:

click start->run->cmd
At the command line, simply type the following command and hit return:

  
bcdedit.exe /set {current} nx AlwaysOn
  
Retest authentication with the test utility provided with the IIS agent.

If this corrects the problem, you can re-enable DEP by reversing the above procedures, but excluding RSA from DEP override.

Contact Microsoft support for additional details on customizing the configuration of DEP.


NotesDEP is a Microsoft security feature which disallows executable files that need to access system memory from doing so.  The RSA agent follows this model, as it accesses system memory.  The RSA agent must be excluded from DEP.   Whenever a program that accesses memory is used, DEP is executed to check its validity.  When memory is accessed, and DEP does not either recognize the component as a Microsoft component  or the component is not excluded from DEP, it will automatically terminate it. This issue is common with 3rd party programs running on the Microsoft 2008 platform.
Legacy Article IDa59682

Attachments

    Outcomes