000022358 - Error: 'The passcode or password you entered is invalid'; offline authentication fails

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022358
Applies ToRSA Authentication Agent 6.0.x for Microsoft Windows
Offline authentication
Domain Authentication Client (DAC)
Domain Authentication Host (DAH)
DAC can authenticate to more than one DAH
IssueError: "The passcode or password you entered is invalid"; offline authentication fails
Offline authentication fails frequently. Recharging the day files allows it to work for a while, but after a few days offline starts failing again.
CauseThe first Domain Authentication Host (DAH) that is installed creates a domain secret, which is stored in what should be the Windows Replicated File System as a domaininfo.dat file.  The location of the store is prompted during the Agent installation, but the default is "C:\WINDOWS\SYSVOL". To verify this setting, open up regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSA Authentication Agent\CurrentVersion\DomainHost\OASVC\dayfilerootdir. Because the domaininfo.dat is placed in the Windows Replicated File System it should be replicated out to all DC's. By default the replication is nearly instantaneous within a site, or 1 hour between sites.(configurable to 15 minutes)   The domain secret which is kept in the domaininfo.dat file on each DC, is one of the inputs used to hash all of the offline data that make up the day files. When a user authenticates to a particular DAH the DAH requests from the Authentication Manager the day files it needs obtain a complete set. All of these files are hashed by the Authentication Manager and delivered to the DAH, which in turn updates the DAC.

When the DAC connects to a DC (either via an authentication or service restart) it obtains a copy of the domain secret from the DAH and stores it in the registry, see  HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSA Authentication Agent\CurrentVersion\DomainHost\OASVC\DomainSecret.  Every DAC must have a valid domain secret (should see a random Hex value, all "01" means its not set).  The DAC uses the domain secret as an input to hash the passcode provided by the user trying to authenticate.  The Agent then takes the current time of the PC, adjusted by the ServerTimeOffset and searches the day files, starting with the files for the exact time then moving out two before and after (5 minute window) looking for a match for the hash output.  If a match is found the user will be authenticated.

Problems occur when the Agent on the DAH is not pointed to the replicated file system, (wrong directory entered at install) file replication fails, or the install is done prior to the domaininfo.dat file being replicated to the DC where the DAH is being installed. When the DAH is first started (and at every service start after) it obtains the domain secret from the dayfilerootdir. If none is found it  generates a new domain secret, and updates the Authentication Manager. At this point you have two DAH's with different domain secrets and different hashed day files. The next time a DAC authenticates to a DAH it will get additional day files, which may be hashed differently from the rest of its set. The DAC may also update its domain secret with one that doesn't match the one its dayfiles were hashed with, which will invalidate all the day file stored locally. The bottom line is if the domain secrets do not match on the DAH's, very bad offline behavior will be the result. 
ResolutionCheck the registry to determine where your domaininfo.dat file is stored and verify that it is indeed pointed to the replicated file system (change it if necessary). Download the following checksum utility: http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 and compare the domaininfo.dat on each DC. If mismatches are found then overwrite each one to make them all consistent. You will then need to clear all offline data from the DAH's that had the incorrect copy and have all users that authenticate offline reboot then clear and recharge their offline data. Users will download the correct dayfiles the next time they online authenticate.

To clear all users offline data on a DAH go to start--settings--control panel--RSA ACE/Agent--advanced tab--clear offline logon data, or got to your dayfilerootdir (see registry above) and delete the day files folder.

To clear all users offline data on a DAC go to the dayfilerootdir (see registry above) then RSA Security\Domain and delete the day files folder.
Legacy Article IDa28152