000020316 - How to control challenge order for RSA ACE/Agent local access protection

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020316
Applies ToRSA SecurID Reserve Password
RSA Authentication Agent 6.0
RSA ACE/Agent 5.6 for Windows
RSA ACE/Agent 5.5 for Windows
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
IssueHow to control challenge order for RSA ACE/Agent local access protection
Reserve Password not available with RSA ACE/Agent for Local Access Protection
Selected 'Challenge Users for local login', but no option to enable the Reserve Password
CauseRSA ACE/Agent has been installed with SecurID Challenge Before Logon option
ResolutionIf you selected the SecurID Challenge Before Logon option when installing the agent, then the new SecurID Challenge Before Logon option makes the machine more susceptible to a dictionary attack. Therefore, RSA Security decided to disallow the Reserve Password function when this option is chosen. If you installed in this manner and wish to revert to SecurID Challenge after Windows Logon; you may change a registry setting:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. RSA cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

ACE/Agent has a registry hive; HKEY_LOCAL_MACHINE ++ SOFTWARE ++ SDTI ++SDGINA.
In this hive there is a value; ChallengeFirst: REG_SZ
Edit the value... A value of:
0 (Zero)     allows for Windows auth then SecurID with reserve password ability.
1 (one)      selects the SecurID Challenge Before Logon option, there will be no reserve password option.
Legacy Article IDa15948

Attachments

    Outcomes