000022099 - RSA GINA user able to passcode authenticate but unable to get beyond Microsoft Windows password prompt

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022099
Applies ToRSA Authentication Agent 6.0.x for Microsoft Windows
RSA Authentication Agent 6.1
"Integrated Windows Authentication" checkbox is selected
Microsoft Integrated Windows Authentication (IWA)
Microsoft Windows Password Integration enabled
IssueRSA GINA user able to passcode authenticate but unable to get beyond Microsoft Windows password prompt
Error: "Error 1326" in RSA tracing log
Error: "Unknown user or bad password"
Error: "The passcode or password you entered is invalid" during Domain authentication

Error: "Microsoft Windows Password Integration Error - Domain Password is rejected after Passcode is accepted"
Error on the DC "Netlogon the computer {Computername} tried to connect to the server \\{dc name} using the trust relationship established by the DOMAINNAME.  However, the computer lost the correct security identifier (SID) when the domain was reconfigured.  Reestablish the trust Relationship.
CauseThere are several potential causes for this error / behavior:

1. The password is incorrect

2. The user does not have sufficient privilege to log in (e.g. only domain administrators can login to a domain controller console)

3. Port 2334 is on the client machine is blocked via firewall, and the Domain Controller cannot connect to verify that a valid session certificate exists

4. The Domain Controller resolved the short name of the workstation to a different IP address, and is looking to an invalid IP address to verify the session certificate.

5. The Windows SID is different than the DC expects it to be.
ResolutionTo correct this issue, follow these steps:

1. Validate that the user can authenticate elsewhere with the same password

2. Take the user out of the RSA Challenge group temporarily and see if they are then able to log in

3. Check for a firewall on the client machine or on the network between the client and the domain controller that could be blocking 2334 TCP traffic

4. Make sure DNS is configured properly for the connection that the user is making. If the user is going from static to DHCP, make sure the DHCP server updates the client record in DNS.  If the DAC is multihomed, make sure that DisableNetBIOSLookup is set to 1 in the registry under SDNETWORK on the DAH.  NetBIOS does not give the same IP consistently for a multihomed workstation.

5. Re-establish the trust relationship for the DAC on the Domain Controller.
Legacy Article IDa26845