000018687 - How to maintain STATE during RSA SecurID authentication using the agent API

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000018687
Applies ToRSA ACE/Agent for Windows
RSA ACE/Agent Authentication API
Microsoft Windows NT 4.0 SP6
UNIX (AIX, HP-UX, Solaris)
IssueHow to maintain STATE during RSA SecurID authentication using the agent API
New PIN mode and Next tokencode do not work
CauseThere is a requirement to 'Maintain state' during an authentication, meaning the end user may have a number of conversations with the agent before a complete authentication takes place
ResolutionWhen using the asynchronous functions in the API and one authentication takes place, a single thread needs to be created for the authentication session. This thread starts when a user is initially connected, and is finally closed when an authentication (successful or otherwise) has occurred. There are 3 types on conversation (as prototype sequences):

1.     Start authentication
        Send username and PASSCODE
        Receive Success or Failure result
        Finish Authentication.

2.     Start Authentication
        Send Username and Tokencode
        Receive Success plus request for PIN
        Choose a PIN (User selected or allocated by system)
        Send this to the ACE/Server
        Receive Success or Failure result
        Finish Authentication.

3.     Start Authentication
        Send Username and PASSCODE
        Receive request for Next Tokencode
        Send Next Tokencode to the ACE/Server
        Receive Success or Failure result
        Finish Authentication

The 'Start Authentication' relates to the 'AceInit' function. The 'Finish Authentication' relates to the 'AceClose' function.

The very basic rule is that any authentication (of type 1, 2 or 3) will fit between these two function calls. If there is any way that your program can end up calling 'AceInit' as part of the same authentication with the end user, then it has gone wrong. So, the following sequence for one authentication with and end-user should NOT be allowed to happen:

    Start Authentication        AceInit(.......)

    Send Username and Tokencode

    Receive request for Next Tokencode

    Start Authentication        AceInit(.......)

    Send Next Tokencode to the ACE/Server
Legacy Article IDa3300

Attachments

    Outcomes