|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1 and later, 7.3.1 and 7.2.x
O/S Version: Windows Server 2012 R2, Windows 10, Windows 8, Windows 7
|Issue||When a challenged user clicks on the RDP application from a machine that has the RSA Authentication Agent 7.3.1 or 7.2.1 for Microsoft Windows installed, the user is immediately prompted for an RSA passcode, when previously, they saw a logon prompt for the remote Windows server. This change usually happens after a Microsoft Windows update has been applied. |
If this challenged user enters valid SecurID credentials, this is treated as a local agent authentication and sometimes fails with the error:
Node Secret Mismatch cleared on Agent not on server
If the authentication does not fail with the node secret mismatch error, and the user successfully authenticates on the first machine with a passcode, the user will next see a remote Windows Credential Provider logon prompt, requesting a password if the RSA Authentication Agent is not installed and a passcode if the RSA agent is installed.
Sometimes reverting the Windows update returns the Windows platform to its previous method of connecting directly to the remote RDP host and its Credential Provider prompt.
If verbose logging was enabled, the authentication agent's logs will indicate that the Windows update has made the Windows Credential Provider UI call a different RDP application, one that the RSA agent did not expect, so the RSA Credential provider prompts for local SecurID Credentials
|Cause||This issue with the use of the Remote Desktop Connection Manager as a jump host application on Windows Server 2012 R2 is a variation on the problem described in article 000033802 (Microsoft Windows update MS16-101 breaks RDP from the RSA Authentication Agent 7.3.1 for Windows for all RSA challenged users). This solution referenced both C:\Windows\System32\mstsc.exe and C:\Windows\System32\CredentialUIBroker.exe|
as possible RDP applications called by a user or administrator. But other RDP applications such as Remote Desktop Connection Manager may have been called instead.
To enable Agent Verbose Logging in the RSA Control Center,
2016-09-09 15:53:54.264 764.5496 [I] [Helpers::getModuleLongFilename]
|Resolution||Using a variant of the workaround in article 000033802 (Microsoft Windows update MS16-101 breaks RDP from the RSA Authentication Agent 7.3.1 for Windows for all RSA challenged users) for this defect MIGHT provide a PARTIAL WORKAROUND in this case. "Partial," because it will break the use of native Remote Desktop Connection (mstsc.exe) on remote connections. |
1. Launch the registry editor.
2. Open or create the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings.
3. Create a REG_SZ value named RDCFileName and populate it with the fully qualified path to the application. For Remote Desktop Connection Manager, that would be C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe instead of C:\Windows\System32\CredentialUIBroker.exe or C:\Windows\System32\mstsc.exe.
An alternative would be to see if RSA Engineering provides a fix or another work-around through RFE AAWIN-2319, for the capability to run the Remote Desktop Connection Manager from a Windows 2012 R2 Server that is protected by the RSA authentication agent to a Windows server that does not have the RSA authentication agent installed.
|Workaround||Use mstsc.exe instead of the RDP manager or CredentialUIBroker.exe or initiate RDP sessions with a non-challenged RSA user.|
|Notes||If you are stuck at the Node Secret Mismatch error and for some reason cannot successfully implement the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings resolution, you may need to open up read permissions to the node secret directory for all authenticated users on the agent machine. |
First, change permissions on the node secret file (named securid by default) to grant read permissions to Authenticated Users. To do this,