000012521 - RSA Authentication Agent 7.0 for Windows shows logon failure due to user account restriction, blank passwords, logon hour restriction or policy restriction on Windows 7

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000012521
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent for Windows
RSA Version/Condition:  7.0
O/S Version:  
Windows 7
IssueThe following error appears when attempting to authenticate with the RSA AUthentication Agent 7.0 for Windows installed on Windows 7:

Logon failure. User account restriction. Possible reasons are blank passwords are not allowed. Logon hour restriction. OR a policy restriction has been enforced.

When the above error appears, the login information is not written to the Event Viewer's security.log.
  • On a domain controller both Domain Authentication Server (DAS) and Domain Authentication Client (DAC) components have been installed.
  • Domain resources are protected with SecurID.
WorkaroundAs a workaround:
1. Create a domain group called windows7 group on the DC.
2. Add the user to the group.
3. Set challenge on the agent for the domain group windows7.
4. The user with SecurID can log on to the domain from the Windows 7 machine.
Note: This will fail if the user is  a member of a group which is set to SecurID challenge on the DC because the login process is expecting a session certificate from Windows 7 which does not exist.
A SecurCare note about discontinuing support for Domain Authentication was sent in 2007 and reposted  on 12 June 2008
1. Uninstall the RSA Authentication Agent from the domain controller.
2. Install a Local Authentication Client (LAC) component from RSA Authentication Agent 6.1.3 on Windows 2003 domain controller.
3. Install RSA Authentication Agent 7.0.x on Windows 7.
Legacy Article IDa58302