000022539 - Passcode accepted in RSA ACE/Server  but denied in RSA ACE/Agent

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022539
Applies ToRSA ACE/Server 5.x
RSA Authentication Manager 6.x
RSA ACE/Agent 5.x
RSA Authentication Agent 6.x for Microsoft Windows
IssuePasscode accepted in RSA ACE/Server, but denied in RSA ACE/Agent
Error: "wpcode1 failed; wpcode0 next" in RSA ACE/Agent trace logs
Authentication may work fine using acetest or a test RSA ACE/Agent, but fails through an application like a firewall or Cisco ACS
CauseThere is an encryption mismatch between RSA ACE/Server and RSA ACE/Agent. The Agent is trying to decrypt the server response using a different IP address than the server used to encrypt, but is unable to make sense of the response it fails.
ResolutionTo correct this issue, create an sdopts.rec file on the RSA ACE/Agent in the same directory as the sdconf.rec file. This file should contain only CLIENT_IP=ipaddress (ipaddress is the address used to define the client in the RSA ACE/Server database - not a secondary node). Reboot the machine to make sure the file is read.
Legacy Article IDa30870