000036439 - How to test authentication from RSA Authentication Agent 1.0.2 for Microsoft AD FS 3.0 when it fails with a UDP packet creation error.

Document created by RSA Customer Support Employee on Jul 18, 2018Last modified by RSA Customer Support Employee on Jul 18, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036439
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Agent for AD FS
RSA Version/Condition:  1.0.2
Platform: Microsoft AD FS  3.0
O/S Version:  Windows 2016 Server
IssueAfter a successful first test authentication, subsequent test authentications are failing from the RSA Authentication Agent 1.0.2 for AD FS 3.0 running on Windows 2016 Server with the following error:

UDP Packet Creation Error.

User-added image
CauseListed below are the probable causes for the error.
  • The presence of antivirus software on the user's machine,
  • User privileges,
  • Incorrect DNS name resolution for the machine on which the RSA Authentication Agent 1.0.2 for AD FS is installed, 
  • A local Windows firewall.
  1. Ensure that the DNS name resolution is successful for the AD FS agent: 
    1. Log on to the Operations Console of the appliance.
    2. Click Administration > Network > Network Tools.
    3. From the Select Command drop-down list, choose NSLookup to verify the IP address or hostname.
    4. Click Run Command.

User-added image

  1. Make certain that the IP address override is properly configured for the AD FS agent installed on the AD FS server (see 000029015 - Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays for information on how to configure an IP override).
  2. Perform an automatic rebalance from the primary Authentication Manager server's Security Console:
    1. Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.
    2. Click Rebalance.

  3. If the node secret was saved on the agent machine, especially if the server indicates the node secret was sent, verify if read and write permissions is given for C:\Program Files (x86)\RSA Security\RSAWebAgent (where the node secret is written by default):

    1. Right click on the location folder.
    2. Select Properties > Security
    3. Click Edit.
    4. Check the Full Control option
    5. Click Apply then OK.

User-added image

  1. Clear any existing node secrets, both on the agent and the server.

    • Clearing the node secret on server

    1. Login to the primary's Security Console.
    2. Select Access > Authentication Agents > Manage Existing.
    3. Right click on the agent and select Manage Node Secret from the context menu.
    4. Check the Clear the node secret option.
    5. Click Save.

    • Clearing the node secret on agent

    1. On the AD FS server, click StartAppsRSA Control Center to launch RSA Control Center.
    2. Under SecurID Settings, select Advanced Tools.
    3. Click Clear Node Secret.
    4. Click Yes.

If Windows Server is installed in Server Core mode, launch Control Center from the command line by running RSAControlCenter.exe from C:\Program Files\Common Files\RSA Shared\RSA .NET\.

  1. Disable any firewall or installed antivirus software on the AD FS server.
  2. Run the RSA Authentication Agent 1.0.2 for AD FS application with elevated privileges using the Run as Administrator option and try multiple test authentications.