000012280 - RSA Software token displays 'No Code' when the application is launched after changing Windows password.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012280
Applies ToSoftware Token 4.1 for Desktop
Vista SP1 (32 bit)
"ERROR 0x000011c8 Software Token Library - 32 General Error" in the C:\Documents and Settings\All Users\Application Data\RSA\RSA_Software_Token_Log_.txt
software token password
Issue

RSA Software token displays "No Code" when the application is launched after changing Windows password.


"The token database on your hard drive is protected by a password. Enter Password" message appears when launching RSA Software token application after changing the user password.
CauseRSA Software token did not find the token database because the profile directory changed. Enabling logging will help us to determine the actual cause. In the logs it should tell us what directory the Software token application is looking for the token database.
The default deployment of application uses the usermode DPAPI. This means RSA application will have the dependency on Microsoft dataprotection API.

The Software Token Application uses Microsoft?s Data Protection API to help protect the token database.  See http://msdn.microsoft.com/en-us/library/ms995355.aspx for details.

There are two modes of protection offered by Microsoft, system or machine, and user.  The user mode protection has a dependency on the user password.  The default installation for the application chooses user mode protection as this provides the most secure configuration.  There are deployments of the application in which user mode DPAPI may be in conflict with the desired behavior.  For example, if a pre-login scenario is required where the token database must be accessed by some software before the user has logged in then the database cannot be accessed if protected with user mode DPAPI.  In this scenario the Software Token application can be configured via a command line install in single database mode.  This changes the location of the database to the All Users directory or equivalent for the variant of Microsoft OS, and changes the DPAPI protection to system mode which eliminates the dependency on the user password.  

Resolution

If the user has changed windows password, restart (not shutdown)  the machine while it is still connected to network. This will complete the password change process. After that if the user launches the RSA application when he is not on network, he can see RSA token code.

 

If you wish to implement a third-party Password Sync application to change the enterprise password by users , a solution might be to install the token in single database mode (see admin guide page 26).  In SINGLE database mode, this problem would no longer occur.  The security of the token database is reduced, as it is reliant on the System DPAPI which would allow other logged in users access to the token.  On machines with multiple tokens, all users would be able to access all tokens, but will only be able to use the particular for which they know the pin. This is not an issue if multiple tokens are not assigned to multiple users on the same machine.  If it is a single user machine (e.g., a laptop) then there is likely a limited ability for others to log into the system to access the token which  mitigates these concerns.   

If access is required in a pre-login scenario, or issues with third-party password change applications, the customer can install RSA application in single database mode. The result is that it avoids a dependency on the usermode  DPAPI. The below installs the application in single database mode.

msiexec /qn /i ?pathname\RSASecurIDToken410.msi? /lv c:\install.log SETSINGLEDATABASE=TRUE

Note: This does not reduce the security of RSA token application, but it does reduce the security of the token database. In a typical scenario, the user who can log on to the machine can access the token database. If a machine is accessed by more than one user, the current user can see the tokens belongs to other users but will not be able to use them without knowing the PIN.

Enable debugging by editing the registry:

 

HKEY_LOCAL_MACHINE\SOFTWARE\RSA\SoftwareToken\Library\LogLevel   Double click on LogLevel key, and change the value to DEBUG.

 

Location of log file

 

C:\Documents and Settings\All Users\Application Data\RSA\RSA_Software_Token_Log.txt

On Vista machine, click on Organize, then select folder options select "show all hidden files"  A folder will appear in C:\Program_data\RSA\Logfiles

The debug file RSA_Software_Token_Log.txt will be located in that folder.

 

On Vista machines with SP1

KB Article Number(s): 961731

Language: All (Global)

Platform: i386

Location: (http://hotfixv4.microsoft.com/Windows%20Vista/sp2/Fix233858/6000/free/369196_intl_i386_zip.exe)

Password: HV_W18*Iws


This message is also frequently caused by a change to the system. Microsoft DPAPI calculates a system fingerprint. If one of items used to calculate this system fingerprint is changed, one will see this message. An example of this would be changing the hard drive in the system. This behavior has also been seen when using virtual desktops where the hard drive is virtual and causes the fingerprint to be different each time the system boots.
Legacy Article IDa53148

Attachments

    Outcomes