000033671 - RSA Authentication Manager 8.1 SP1 On Demand Authentication that requires that the initial PIN be set in the Self-Service Console fails because there is no PIN yet

Document created by RSA Customer Support Employee on Jan 30, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033671
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 SP1 and later
 
IssueThe issue here is that an RSA administrator is trying to enable On-Demand Authentication for an end user.
 
enable ODA user
 

  1. Once the user is enabled for ODA, he cannot use the Self Service Console (SSC) to set his PIN because the SSC is prompting for a PIN after the user enters his password.
  2. As shown here, the Self-Service Console logon screen requests Jay's user ID and password.
SSC Password

  1. The SSC the prompts Jay to enter an existing PIN rather than asking him to create a new PIN.
SSC_PIN

  1. Logon fails because a PIN is not set yet.  Using a blank PIN or a PIN of 0000 also fail.
PIN Required
 

  1. In the Security Console, the enable ODA options show a choice between:
Require user to setup the PIN through RSA SSC
System generate initial PINs for selected users and export to file


System PIN

  1. The option of system generate initial PIN only worked in Authentication Manager 7.1.  All the Authentication Manager 8.1 systems here show that the option is:
Set initial PIN to [      ] (Pin needs to be communicated to user)
 

Set Initial PIN
 

  1. This works if we use the System Generate PINs option.  We download the file, logon to the SSC with a password, enter the PIN, then create a new PIN.
  2. If we select Require user to setup the PIN, and he logs on to the Security Console, he is prompted to enter a PIN, even though Security Console says PIN not set. Nothing works and the user sees a message of either logon failed or if the PIN is blank, that the field is required
CauseConfiguring logon to the Self Service Console logon to be RSA_Password/LDAP_Password+OnDemand, which translates to either RSA password or LDAP Password first and then On-Demand Authentication.
 
SC-Setup-SSC-Authentication
 

When users setup their ODA PINs in the SSC, it could not work because this setup required an ODA logon, so requested a PIN, which was not created yet.
ResolutionEnabling an ODA user to create their PIN through the Self-Service Console and requiring an ODA logon to the Self-Service Console are mutually exclusive.  You can only have one or the other, so options are to either,
  1. Manually set ODA user PINs in the Security Console or with the Authentication Manager Bulk Administration (AMBA) tool; or
  2. Change the Self-Service logon requirements to not enforce an ODA logon, either by removing it completely or by making it optional with the OR operator (that is, /).
Workaround
  1. Generate PINs for the users.
  2. Communicate the PINs in a secure manner to the end users.

Attachments

    Outcomes