000030947 - Unable to Integrate Two Agents on the Same Host - Node Verification Mismatch

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030947
Applies To
RSA Product SetSecurID
RSA Product/Service TypeRSA Authentication Agent
RSA Version/Condition7.2.1
PlatformMicrosoft Windows
Platform (Other) 
O/S Version2012 R2
Product Name 
Product Description 

IssueSetting up RSA Authentication Agent 7.2.1 for Windows to protect a Microsoft Windows 2012 R2 server hosting a third-party product that sends native SecurID authentications to an authentication manager deployment is failing with Node Verification Mismatch messages being displayed in the Real-Time Authentication Activity monitor.
CauseBy default the User Access Control (UAC) is enabled on the Microsoft Windows 2012 R2 server and this is interfering with the copy task of the node secret.
ResolutionPerform the following steps to deactivate UAC on the Microsoft Windows 2012 server and setup the node secrets appropriately for the RSA Authentication Agent for Windows and the third-party product.
 
1.Clear all known node secrets for the RSA Authentication Agent for Windows, from the third-party product and from the authentication agent record found in the Security Console of authentication manager.
    
   To clear the node secret from the RSA Authentication Agent for Windows use the RSA Control Center
    

  
Example:
   User-added image

    
   Refer to the third-party documentation on how to clear the node secret from the third-party product.
    
   Use this produce to clear the node secret in the Security Console.
    

  
i. In the Security Console > Access > Authentication Agents > Manage Existing.
    
   ii. Click the Restricted or Unrestricted tab, depending on whether the agent that you want to search for is restricted or unrestricted.
    
   iii. Use the search fields to find the agent with the node secret that you want to manage.
    
   iv. Click the agent with the node secret that you want to manage, and click Manage Node Secret.
    
   v.To clear the node secret from the Authentication Manager server, select the Clear Node Secret check box and Save

  
2.Start a Real-Time Authentication Activity Monitor
    

  
i. Security Console > Reporting > Real-Time Activity Monitors > Authentication Activity Monitor
    
   ii. In the new pop-up Windows click the Start Monitor button

  
3.Deactivate User Access Control (UAC) on the Microsoft Windows 2012 server.
    
   URL http://social.technet.microsoft.com/wiki/contents/articles/13953.windows-server-2012-deactivating-uac.aspx provides information for deactivating UAC on Microsoft Windows 2012.
    
   IMPORTANT NOTE : this will require a system restart
    
4.Perform a test authentication from the third-party product.
    
   The node secret (securid) file maybe stored in the C:\Windows\System32 or C:\Windows\SysWOW64 folder. If this is not where the node secret is being stored then refer to the third-party product documentation on where it stores the node secret.
    
   NOTE : monitor the real-time authentication activity monitor should a failed authentication occur.
    
5.Copy the node secret to the C:\Program Files\Common Files\RSA Shared\Auth Data folder, which is where the RSA Authentication Agent for Windows is expecting to see the node secret.
  
   Use the Node Secret Upload utility (agent_nsload.exe) to move the node secret.
  
   Example:

   agent_nsload -c "C:\Windows\system32\securid" "C:\Program Files\Common Files\RSA Shared\Auth Data"

    
   Chapter 3: Installing RSA Authentication Agent (page 47) covers the usage of the Node Secret Load utility in the RSA Authentication Agent 7.2 Installation and Administration Guide.

  
   NOTE: It is common that applications running on Windows 2012 is for 64-bit so copy the node secret from \SysWOW64 to \Auth Data directory where applicable
  
   Example:

   agent_nsload -c "C:\Windows\SysWOW64\securid" "C:\Program Files\Common Files\RSA Shared\Auth Data"
6.Use the RSA Control Center of the RSA Authentication Agent for Windows to perform a test authentication.
    
   NOTE : monitor the real-time authentication activity monitor should a failed authentication occur.
    

 
 IMPORTANT NOTE : should there be a requirement to have UAC enabled on the Microsoft Windows 2012 server then reverse the changes made in point 3.
 
NotesThe am-extras-8.1.0.0.0.zip file (found in Download Central where RSA Authentication Manager 8.1 software is obtainable) provides agent_nsload.exe in the Node Secret Utility folder.
Also, the RSA Authentication Agent 7.2.1 for Windows software available from URL  http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows  provides the Node Secret Upload utility (agent_nsload.exe) file.

Contacting RSA Customer Support
TelephoneFor urgent issues use on of the telephone numbers listed at URL http://www.emc.com/support/rsa/contact/phone-numbers.htm 
EmailFor non-urgent issues email support@rsa.com
Case
   Management
Case Management is found at URL https://knowledge.rsasecurity.com/scolcms/mysupport.aspx
   (requires access to RSA SecurCare Online)

Attachments

    Outcomes