000033560 - How to use Windows Password Integration with Offline Authentication on an RSA Authentication Agent 7.x for Windows

Document created by RSA Customer Support Employee on Jul 21, 2016Last modified by RSA Customer Support on Jan 2, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033560
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2.x, 7.3.x, 7.4.x
IssueWindows password integration and offline authentication are two features of the RSA Authentication Agent for Windows. They operate independently, but overlap in that the hashed Windows password created by the agent's user and stored in the RSA database is also stored in the offline day files database.

A Windows password change must be done online in order for a domain controller to learn and accept it. If the change is done from the authentication agent itself, the new Windows password hash is learned by RSA Authentication Manager and stored in the server's internal database. 

If offline days are refreshed, this new Windows password hash is downloaded to the authentication agent within the offline day files database. 

If you change the Windows password, then go offline without refreshing offline days, the offline authentication Windows password integration fails because the offline database has the old Windows password hash.
TasksRefresh offline days after changing the Windows password in order to download that new Windows password hash to the offline days database for this user. This allows them to complete Windows password integration when offline.
ResolutionRefresh offline days, which might involve a new online login, and this updates the agent offline Windows password integration for this user on this agent. Do not attempt to change the Windows password a second time before refreshing OA days, as it may cause temporary problems such as hanging or freezing of the Windows system.