| Article Number | 000033671 |
| Applies To | RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 and later
|
| Issue | The issue here is that an RSA administrator is trying to enable On-Demand Authentication (ODA) for an end user.
- Once the user is enabled for ODA, he cannot use the Self Service Console (SSC) to set his PIN because the SSC is prompting for a PIN after the user enters his password.
- As shown here, the Self-Service Console (SSC) logon screen requests Jay's user ID and password.
- The SSC then prompts Jay to enter an existing PIN rather than asking him to create a new PIN.
- Logon fails because a PIN is not set yet. Using a blank PIN or a PIN of 0000 also fails.
- In the Security Console, the enable ODA options show a choice between:
- Require user to setup the PIN through RSA Self-Service Console
- System generate initial PINs for selected users and export them to a file
- The option of system generated initial PIN only worked in Authentication Manager 7.1. All the Authentication Manager 8.1 systems here show that the option is:
Set initial PIN to [ ] (Pin needs to be communicated to user)
- This works if we use the System Generate PINs option. We download the file, logon to the SSC with a password, enter the PIN, then create a new PIN.
- If we select Require user to setup the PIN, and the user logs on to the Security Console, he is prompted to enter a PIN, even though Security Console says PIN not set. Nothing works and the user sees a message of either logon failed or if the PIN is blank, that the field is required
|
| Cause | Configuring logon to the Self Service Console logon to be RSA_Password/LDAP_Password+OnDemand, which translates to either RSA password or LDAP Password first and then On-Demand Authentication.
When users setup their ODA PINs in the SSC, it could not work because this setup required an ODA logon, and so is requesting a PIN, which was not created yet. |
| Resolution | Enabling an ODA user to create their PIN through the Self-Service Console and requiring an ODA logon to the Self-Service Console are mutually exclusive. You can only have one or the other, so options are to either,
- Manually set ODA user PINs in the Security Console or with the Authentication Manager Bulk Administration (AMBA) tool; or
- Change the Self-Service logon requirements to not enforce an ODA logon, either by removing it completely or by making it optional with the OR operator (that is, /).
|
| Workaround | - Generate PINs for the users.
- Communicate the PINs in a secure manner to the end users.
|
on Jan 30, 2017
