000013735 - Citrix Web Interface 5.x SecurID Agent Authentication problem causes and fixes

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013735
Applies ToCitrix Web Interface 5.X

RSA Authentication Agent 7.0.2 for Microsoft Windows


RSA Authentication Agent 6.1.3 for Microsoft Windows

Issue

node secret cleared on agent but not server

Cause

The scenarios listed are due to these three causes:

1.For Citrix, it uses Microsoft Internet Information Server (w3p.exe) as the securid agent (SecurID.java), which may have no permission to write files to system directory (system32)  and therefore, by design, it will not create the node secret on agent side.
So if we clear node secret on both side and perform authentication with user in new pin mode the initial authentication should successful but after that the node secret has been created on server but can not be stored by the agent (due to permissions). So the set new pin action will cause "UDP packet creation error".

2.On Windows 2008, Citrix loads the node secret from system folder but RSA windows agent puts the node secret in the shared data folder.
This gives the symptom "Cleared on agent but not server" as Citrix is looking in the wrong place.
You can find this information in Citrix Web Interface RSA SecurID Ready Implementation Guide Last Modified: March 25, 2011

3.Sometimes installations of the Citrix server need restart IISservice to ensure the reloading of node secret into cache memory.

Resolution

For 32-bit Windows Machine:

1.  After you clear node secret on your server and agent remember to recreate it using RSA Windows Agent test authentication.

2.  After create node secret restart the IIS service to ensure Citrix reloads it into cache memory (command line: iisreset)

For 64-bit Windows Machine:

1.  After you clear node secret on your server and agent, remember to recreate it using RSA Windows Agent test authentication.

2.  Copy node secret from C:\Program Files\Common Files\RSA Shared\Auth Data\securid to %windir%\System32\securid so that Citrix can load the file from the older location.

3.  After creating the node secret, restart IIS service to ensure Citrix reloads it into cache memory  (command line: iisreset)

Workaround

Scenario 1:

Citrix Web Interface is installed on x64 windows platform, e.g. Windows 2008 server R2

Steps:

  1. Create Node Secret by successfully authentication via RSA Windows Agent test function.
  2. Try to login via Citrix Web Interface.
  3. On activity monitor, shows "node secret cleared on agent but not server"

Scenario 2:

Apply to any platforms of windows.

Steps:

  1. Clear Node Secret on Both side.
  2. Login using SecurID via Citrix Web Interface first time, successfully.
  3. Login again, failed. Activity monitor shows  "node secret cleared on agent but not server"

Scenario 3:

Apply to any platforms of windows.

Steps:

  1. Clear Node Secret on Both side.
  2. Login using SecurID via Citrix Web Interface, user is in new pin mode. Prompt user enter new pin, but can not set pin successfully.
  3. Activity Monitor shows "UDP packet creation error"
Legacy Article IDa56803

Attachments

    Outcomes