RSA SecurID Authenticate Tokencode Integration Issues and Solutions

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

If you receive an error that is related to the RSA SecurID Authenticate Tokencodeintegration, perform the tasks listed in the following table.





General Integration Issues
Existing RSA Authentication Manager users are unable to authenticate with the RSA SecurID Authenticate app.

Authentication Manager users who do not have an active RSA SecurID hardware or software token assigned to them must be enabled to use the RSA SecurID Authenticate app by an Authentication Manager Super Admin. For instructions, see Enable the RSA SecurID Authenticate App for Specific Users.

If a node secret is not available on the authentication agent, existing Authentication Manager users are unable to authenticate, but an error message is not displayed. For more information, see the solution that is described below.

An error message states that the node secret is not available on the authentication agent.

The node secret encrypts communication between an authentication agent and Authentication Manager.

In a new deployment, Authentication Manager automatically creates and sends the node secret to the authentication agent in response to the first successful authentication on the agent.

In an existing deployment, you might need to refresh the node secret when an administrator has cleared the node secret on both an authentication agent and the Authentication Manager instance.

You can use the Node Secret Load Utility to resolve any issues. For instructions, see the Authentication Manager Help topic Refresh the Node Secret Using the Node Secret Load Utility.

A user already has the maximum number of tokens

You can assign up to three active tokens per user, unless an administrator reduces this number, as described in Restrict the Number of Active Tokens per User. The RSA SecurID Authenticate app counts against this limit.

Disable or unassign at least one of the active tokens.

RSA SecurID AccessTrusted Realm Integration Issues
Authentication fails intermittently when Authentication Manager is configured to send RSA SecurID Authenticate Tokencodes to an SSO Agent trusted realm.

In this configuration, any changes in the RSA SecurID Access deployment require updates in Authentication Manager. For example, you can provide Authentication Manager with the updated hostname or IP address used by the RSA SecurID Access identity router. For instructions, see Repair an RSA SecurID Access Trusted Realm.

If the trusted realm uses more than one IP address, edit the hosts file, as described in Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.

Time-based RSA SecurID tokencode and Authenticate Tokencode authentication fails, even though users are entering the correct information.

The time difference between the RSA Authentication Manager instance and the identity router is greater than 50 seconds. Make sure the RSA Authentication Manager instances and identity routers synchronize the time against the same Network Time Protocol (NTP) server.

On each RSA Authentication Manager primary or replica instance, log on to the Operations Console and select Administration > Date & Time.

To change the time on the RSA SecurID Access identity router, contact your RSA SecurID Access administrator.

The connection between Authentication Manager and the RSA SecurID Access repeatedly times out.By default, Authentication Manager waits 30 seconds for a response after sending an authentication request, but you can increase this value. For instructions, see Configure a Timeout Setting for Authentication Requests.

An authentication agent rejects RSA SecurID Authenticate Tokencodes. Other authentication agents send Authenticate Tokencodes to RSA SecurID Access.

For each authentication agent being used with the RSA SecurID Access trusted realm, selectEnable Trusted Realm Authentication.

For instructions, see Add an Authentication Agent.


Users cannot be found in the RSA SecurID Access trusted realm.

Contact your RSA SecurID Access administrator.

The RSA SecurID Access administrator might need to synchronize the identity source with the Cloud Authentication Service. For instructions, see the RSA SecurID AccessSSO AgentSetup and Configuration Guide.

A user who exists in an RSA SecurID Access identity source cannot authenticate with an Authenticate Tokencode.

Ask the user to authenticate again. If authentication continues to fail, then contact your RSA SecurID Access administrator.

The RSA SecurID Access administrator might need to see the Help topic for possible solutions.

RSA SecurID Access Issues When Using SecurID Authentication

Authentication fails intermittently when RSA SecurID is used as an authentication method to protect SaaS and on-premise web applications.

Authentication can fail if the static route between Authentication Manager and the SSO Agent needs to be updated. For example, update the static route if a new Authentication Manager replica instance is added, an existing Authentication Manager primary or replica instance has a new IP address, or the hostname of the identity router changes.

For instructions, see the Help topic

Authentication can fail for other reasons. In Authentication Manager, do the following:

  • Verify that the user entered the RSA SecurID PIN and tokencode correctly.
  • On the Authentication Manager Security Console Home page, use the Quick Search drop-down list to locate the user:
    • Check to see if the user's token is disabled.
    • Check to see if the user's account is locked.