000023870 - Receiving 'Access Denied  PASSCODE Incorrect' for Windows Agent v6.1 behind NAT firewall

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000023870
Applies ToRSA Authentication Agent for Windows 6.1
NAT (Network Address Translation) being performed for the Windows Agent
IssueHow to configure Windows Agent v6.1 which has an external and internal IP address
Error: "Access Denied, bad user password"
Error: "Access Denied, PASSCODE Incorrect"
CauseThe IP address of the PC is used for encryption.  If it does not match the IP address in the Authentication Manager database, the Authentication Manager will not be able to decrypt the user's PASSCODE or Password.

The Agent allows you to specify which IP address to use irrespective of the machine's primary IP address. This is called the IP Address Override feature. After creating the client (or Agent Host) definition in Authentication Manager do the following as a Windows administrator:

1. Open the RSA Security Center application and go to the Configuration tab.
2. Click on the Advanced Settings section.
3. Under the "IP address override:" section, enter the IP address address as resolved for the Client (Agent Host) in the Authentication Manager database (i.e., the 'external' IP address).
4. Click on OK.
5. Restart the RSA services on the Windows Agent machine.

The ACE/Agent will store this address in the Registry for future use whenever making authentication requests to the ACE/Server.

Note: Different versions of the ACE/Agent have to be configured in different ways to do this. The following solutions deal with this for different versions of the ACE/Agent:

How to override the primary address with RSA ACE/Agent 4.4 for Windows NT

How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent

ACE/Agent 4.3 on NT or ACE/Agent 1.1 for Windows2000

WorkaroundNAT Firewall changes the IP address for the Windows Agent machine.  Authentication Manager server sees the 'external' IP address for the Agent.
Legacy Article IDa35754