|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1 and later, 7.3.1 and 7.2.x
|Issue||When a challenged user clicks on the RDP application from a machine that has the RSA Authentication Agent 7.3.1 or 7.2.1 for Microsoft Windows installed, the user is immediately prompted for an RSA passcode, when previously they saw a logon prompt for the remote Windows server. This change usually happens after a Microsoft Windows update has been applied. |
If this challenged user enters valid SecurID credentials, this is treated as a local agent authentication and sometimes fails with the following error:
Node Secret Mismatch cleared on Agent not on server
If the authentication does not fail with the node secret mismatch error, and the user successfully authenticates on the first machine with a passcode, the user will next see a remote Windows Credential Provider logon prompt, requesting a password if the RSA Authentication Agent is not installed and a passcode if the RSA agent is installed.
Reverting the Windows update typically is not an option even if it returns the Windows platform to its previous method of connecting directly to the remote RDP host and its Credential Provider prompt.
If verbose logging was enabled, the authentication agent's logs will indicate that the Windows update has made the Windows Credential Provider UI call a different RDP application, one that the RSA agent did not expect, so the RSA Credential provider prompts for local SecurID Credentials
|Cause||This issue with the use of the Remote Desktop Connection Manager as a jump host application on Windows Server 2012 R2 is a variation on the problem described in article 000033802 (Microsoft Windows update MS16-101 breaks RDP from the RSA Authentication Agent 7.3.1 for Windows for all RSA challenged users). This solution referenced both C:\Windows\System32\mstsc.exe and C:\Windows\System32\CredentialUIBroker.exe as possible RDP applications called by a user or administrator. But other RDP applications such as Remote Desktop Connection Manager may have been called instead. |
To enable agent verbose logging in the RSA Control Center,
|Resolution||Using a variant of the workaround in article 000033802 (Microsoft Windows update MS16-101 breaks RDP from the RSA Authentication Agent 7.3.1 for Windows for all RSA challenged users) for this defect MIGHT provide a PARTIAL WORKAROUND in this case. "Partial," because it will break the use of native Remote Desktop Connection (mstsc.exe) on remote connections. |
An alternative would be to see if RSA Engineering provides a fix or another work-around through AAWIN-2319, for the capability to run the Remote Desktop Connection Manager from a Windows 2012 R2 Server that is protected by an RSA Authentication Agent to a Windows server that does not have the RSA agent installed. This is deemed a known Issue because using the GPO is a workaround unless/until RSA can re-architect the Windows agent to eliminate the need for elevated privilege.
|Workaround||Use mstsc.exe instead of the RDP manager or CredentialUIBroker.exe or initiate RDP sessions with a non-challenged RSA user.|
|Notes||If you are stuck at the Node Secret Mismatch error and for some reason cannot successfully implement the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings resolution, you may need to open up read permissions to the node secret directory for all authenticated users on the agent machine. |
First, change permissions on the node secret file (named securid by default) to grant read permissions to Authenticated Users. To do this,