|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: RSA Authentication Agent for Windows
RSA Version/Condition: 7.2 or later
|Issue||A new Authentication Manager deployment has been built (perhaps due to a migration from an earlier version of Authentication Manager) and the administrator would like to change the configuration of the deployed RSA Authentication Agent for Windows in the production environment.|
|Resolution||The RSA Authentication Agent for Windows stores its configuration files in the C:\Program Files\Common Files\RSA Shared\Auth Data folder by default. Updating an RSA Authentication Agent for Windows to send authentications to a new Authentication Manager deployment requires the removal of the failover.dat, sdstatus.12 and securid files and changing sdconf.rec file to point to the new server(s).|
Since the authentication agent monitors the existence of the node secret on the agent and on the server, if the node secret file is deleted from the agent it also must be deleted from the server. In the Security Console under Access > Authentication Agents > Manage Existing, use the Search Criteria to search for the authentication agent in question. Once found,click on the agent and select Manage Node Secret… Check the option to clear the node secret and click Save.
NOTE: It is important the operating system hosting the RSA Authentication Agent for Windows is able to lookup the fully-qualified host names and IP addresses of the Authentication Manager instances in the Authentication Manager deployment either by DNS or local host file.
Changing the configuration files of an RSA Authentication Agent for Windows is a manual task. An administrator could start by making the changes to one RSA Authentication Agent for Windows to ensure the process works before changing further RSA Authentication Agent for Windows configurations.
For large deployments an administrator could review the RSA Authentication Agent 7.2 Installation and Administration Guide and read a section called “Deploying the Installation Package to Multiple Computers”. Using this section in the product documentation a new installation package could be created with a new configuration where something like Microsoft System Management Server (SMS) is used to remove the previous installation and replace it with the new installation package (containing the new configuration files). Where the Windows platform hosting the RSA Authentication Agent for Windows software is a member of a domain then GPO templates can be used to configure the authentication agent challenge settings. This would need testing to ensure you get desired results.
NOTE: There are two possible Windows restarts required with the steps above; one restart is after the removal of authentication agent software and another restart after the installation of the new installation package.
Alternatively, customers can engage RSA Professional Services to come up with a solution to change the configuration files on a large number of deployed RSA Authentication Agent for Windows.
Table showing configuration files used by an RSA Authentication Agent for Windows:
|Notes||Click the link to obtain documentation, GPO templates and more for the RSA Authentication Agent 7.2 for Windows.|