000031188 - RSA Authentication Agent 7.1.3 for Web does not accept more than 16 characters in the password.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031188
Applies To
Product Set: SecurID
Product: RSA Authentication Agent 7.1.3 for Web (IIS)
OS: Windows 2008 R2

The authentication fails with an error "100: Access denied. The RSA ACE/Server rejected the Passcode. Please try again."

The corresponding lines in aceclient.log are:
[9212]  9:15:49.015 File:rsanamedpipe.cpp Line:641 # logonuser failed 1326
[9212]  9:15:49.015 File:rsanamedpipe.cpp Line:845 # Invalid Token returned by rsa_s4uLogon
[9212]  9:15:49.015 File:rsanamedpipe.cpp Line:892 # Get Token Failed
RSA AM 8.x server, Authentication Agent for Windows, and Active Directory accept passwords with more than 16 characters.
Note: OWA page does not have this restriction. As a result, if SSO is not enabled, SecurID authentication followed by Windows login works as expected. The restriction appears to be on RSA Agent for Web login pages using selective authentication.

CauseIf selective authentication is enabled, then users that are NOT challenged and have an Active Directory password of MORE THAN 16 characters will NOT be able to get past the SecurID web agent login page. The web page is limiting the passcode field to just 16 characters and trimming any extra characters. This issue has been reported in defect AAIIS-1211.
ResolutionThis issue is resolved in RSA Authentication Agent for Web build 173. 
Contact RSA Security technical support to obtain the latest build for Web Agent for IIS.