000035400 - Updating RSA SecurID Access SSL portal certificate can break Authenticate App tokencode - Authentication Manager integration

Document created by RSA Customer Support Employee on Jul 28, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035400
Applies ToRSA Product Set:  SecurID Access
IssueAfter updating the IDR portal certificate via My Account > Company Settings, SecurID authentication with the Authenticate App no longer works.
When attempting authentication, the Authentication Manager Authentication Activity Monitor shows:
RSA SecurID Access Authenticator Tokencode verification failed for user "<username>"   Unexpected return code or unexpected exception occurred.

CauseThe new certificate is chained from a different root certificate than the original certificate. 
The Authenticate App<->Authentication Manager agent integration (both trusted realm for SecurID Access-only users and the Authenticate App integration for Authentication Manager users) depends on the Authentication Manager trusting the IDR root certificate.  Changing the IDR root certificate will break either type of existing IDR<->Authentication Manager trust relationship.
  1. If using a trusted realm for Authenticate App integration (SecurID Access-only users), delete the existing trusted realm in the Security Console and then re-run the manage-securid-access-trusts command line utility per Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.
  2. If Authentication Manager users are using the Authenticate App to authenticate through SecurID Agents then load the IDR's new root certificate per step 6 of Configure RSA Authentication Manager to Handle Authenticate Tokencodes.
NotesIf the root certificate has not changed then updating the SecurID Access portal certificate should not affect Authenticate App authentication.