If you receive an error that is related to the RSA SecurID Authenticate Tokencode integration, perform the tasks listed in the following table.
|General Integration Issues|
|Existing RSA Authentication Manager 8.2 SP1 and 8.3 users who do not have an active RSA SecurID hardware or software token assigned to them are unable to authenticate with the Authenticate Tokencode.|| |
See Enable the RSA SecurID Authenticate App for Specific Users to enable these users to use the Authenticate Tokencode.
Version 8.4 users without active tokens do not require this procedure.
An error message states that the node secret is not available on the authentication agent.
The node secret does not exist on the authentication agent, but there is no error message.
The node secret encrypts communication between an authentication agent and Authentication Manager. Node secrets are required for users to authenticate on RSA authentication agents.
In a new authentication agent deployment, Authentication Manager automatically creates and sends the node secret to the authentication agent in response to the first successful authentication on the agent. A user must first authenticate to the agent with an RSA SecurID hardware token, an RSA SecurID software token, or a fixed passcode, or you must manually create the node secret with the Node Secret Load Utility. Using the RSA SecurID Authenticate app does not create the node secret.
You might need to refresh the node secret when an administrator has cleared the node secret on both an authentication agent and the Authentication Manager instance. For instructions, see Refresh the Node Secret .
|A user already has the maximum number of tokens|| |
You can assign up to three active tokens per user, unless an administrator reduces this number, as described in Restrict the Number of Active Tokens per User. The RSA SecurID Authenticate app counts against this limit.
Disable or unassign at least one active token.
|RSA SecurID AccessTrusted Realm Integration Issues|
|Authentication fails intermittently when Authentication Manager is configured to send RSA SecurID Authenticate Tokencodes to an SSO Agent trusted realm.|| |
In this configuration, any changes in the Cloud Authentication Service deployment require updates in Authentication Manager. For example, you can provide Authentication Manager with the updated hostname or IP address used by the RSA SecurID Access identity router. For instructions, see Repair an RSA SecurID Access Trusted Realm.
If the trusted realm uses more than one IP address, edit the hosts file, as described in Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.
|Time-based RSA SecurID tokencode and Authenticate Tokencode authentication fails, even though users are entering the correct information.|| |
The time difference between the RSA Authentication Manager instance and the identity router is greater than 50 seconds. Make sure the RSA Authentication Manager instances and identity routers synchronize the time against the same Network Time Protocol (NTP) server.
On each RSA Authentication Manager primary or replica instance, log on to the Operations Console and select Administration > Date & Time.
To change the time on the RSA SecurID Access identity router, contact your Cloud Authentication Service administrator.
|The connection between Authentication Manager and the Cloud Authentication Service repeatedly times out.||By default, Authentication Manager waits 30 seconds for a response after sending an authentication request, but you can increase this value. For instructions, see Configure a Timeout Setting for Authentication Requests.|
An authentication agent rejects RSA SecurID Authenticate Tokencodes. Other authentication agents send Authenticate Tokencodes to the Cloud Authentication Service.
For each authentication agent being used with the RSA SecurID Access trusted realm, selectEnable Trusted Realm Authentication.
For instructions, see Add an Authentication Agent.
Users cannot be found in the RSA SecurID Access trusted realm.
Contact your RSA SecurID Access administrator.
The Cloud Authentication Service administrator might need to synchronize the identity source with the Cloud Authentication Service. For instructions, see the RSA SecurID AccessSSO AgentSetup and Configuration Guide.
|A user who exists in an RSA SecurID Access identity source cannot authenticate with an Authenticate Tokencode.|| |
Ask the user to authenticate again. If authentication continues to fail, then contact your Cloud Authentication Service administrator.
The Cloud Authentication Service administrator might need to see the Help topic https://community.rsa.com/docs/DOC-54094 for possible solutions.
|Cloud Authentication Service Issues When Using SecurID Authentication|
Authentication fails intermittently when RSA SecurID is used as an authentication method to protect SaaS and on-premise web applications.
Authentication can fail if the static route between Authentication Manager and the SSO Agent needs to be updated. For example, update the static route if a new Authentication Manager replica instance is added, an existing Authentication Manager primary or replica instance has a new IP address, or the hostname of the identity router changes.
For instructions, see the Help topic https://community.rsa.com/docs/DOC-54121.
Authentication can fail for other reasons. In Authentication Manager, do the following: