Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033671 - RSA Authentication Manager 8.1 SP1 On Demand Authentication requires that the initial PIN be set in the Self-Service Console fails because there is no PIN yet

Document created by RSA Customer Support

on Jan 30, 2017•Last modified by RSA Customer Support on Jan 23, 2018

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033671
Applies To	RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1 SP1 and later
Issue	The issue here is that an RSA administrator is trying to enable On-Demand Authentication (ODA) for an end user. Once the user is enabled for ODA, he cannot use the Self Service Console (SSC) to set his PIN because the SSC is prompting for a PIN after the user enters his password. As shown here, the Self-Service Console (SSC) logon screen requests Jay's user ID and password. The SSC then prompts Jay to enter an existing PIN rather than asking him to create a new PIN. Logon fails because a PIN is not set yet. Using a blank PIN or a PIN of 0000 also fails. In the Security Console, the enable ODA options show a choice between: Require user to setup the PIN through RSA Self-Service Console System generate initial PINs for selected users and export them to a file The option of system generated initial PIN only worked in Authentication Manager 7.1. All the Authentication Manager 8.1 systems here show that the option is: Set initial PIN to [ ] (Pin needs to be communicated to user) This works if we use the System Generate PINs option. We download the file, logon to the SSC with a password, enter the PIN, then create a new PIN. If we select Require user to setup the PIN, and the user logs on to the Security Console, he is prompted to enter a PIN, even though Security Console says PIN not set. Nothing works and the user sees a message of either logon failed or if the PIN is blank, that the field is required
Cause	Configuring logon to the Self Service Console logon to be RSA_Password/LDAP_Password+OnDemand, which translates to either RSA password or LDAP Password first and then On-Demand Authentication. When users setup their ODA PINs in the SSC, it could not work because this setup required an ODA logon, and so is requesting a PIN, which was not created yet.
Resolution	Enabling an ODA user to create their PIN through the Self-Service Console and requiring an ODA logon to the Self-Service Console are mutually exclusive. You can only have one or the other, so options are to either, Manually set ODA user PINs in the Security Console or with the Authentication Manager Bulk Administration (AMBA) tool; or Change the Self-Service logon requirements to not enforce an ODA logon, either by removing it completely or by making it optional with the OR operator (that is, /).
Workaround	Generate PINs for the users. Communicate the PINs in a secure manner to the end users.

Attachments

Outcomes

0 Comments

Recommended Content