RSA Authentication Manager 8.1 SP1 On Demand Authentication requires that the initial PIN be set in the Self-Service Console fails because there is no PIN yet
3 years ago
Originally Published: 2016-08-02
Article Number
000042987
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 and later
 
Issue
The issue here is that an RSA administrator is trying to enable On-Demand Authentication (ODA) for an end user.
 
enable ODA user
 
  1. Once the user is enabled for ODA, he cannot use the Self Service Console (SSC) to set his PIN because the SSC is prompting for a PIN after the user enters his password.
  2. As shown here, the Self-Service Console (SSC) logon screen requests Jay's user ID and password.
SSC Password
  1. The SSC then prompts Jay to enter an existing PIN rather than asking him to create a new PIN.
SSC_PIN
  1. Logon fails because a PIN is not set yet.  Using a blank PIN or a PIN of 0000 also fails.
PIN Required
 
  1. In the Security Console, the enable ODA options show a choice between:
  • Require user to setup the PIN through RSA Self-Service Console
  • System generate initial PINs for selected users and export them to a file

System PIN
  1. The option of system generated initial PIN only worked in Authentication Manager 7.1.  All the Authentication Manager 8.1 systems here show that the option is:
Set initial PIN to [      ] (Pin needs to be communicated to user)
 
Set Initial PIN
 
  1. This works if we use the System Generate PINs option.  We download the file, logon to the SSC with a password, enter the PIN, then create a new PIN.
  2. If we select Require user to setup the PIN, and the user logs on to the Security Console, he is prompted to enter a PIN, even though Security Console says PIN not set. Nothing works and the user sees a message of either logon failed or if the PIN is blank, that the field is required
Cause
Configuring logon to the Self Service Console logon to be RSA_Password/LDAP_Password+OnDemand, which translates to either RSA password or LDAP Password first and then On-Demand Authentication.
 
SC-Setup-SSC-Authentication
 
When users setup their ODA PINs in the SSC, it could not work because this setup required an ODA logon, and so is requesting a PIN, which was not created yet.
Resolution
Enabling an ODA user to create their PIN through the Self-Service Console and requiring an ODA logon to the Self-Service Console are mutually exclusive.  You can only have one or the other, so options are to either,
  1. Manually set ODA user PINs in the Security Console or with the Authentication Manager Bulk Administration (AMBA) tool; or
  2. Change the Self-Service logon requirements to not enforce an ODA logon, either by removing it completely or by making it optional with the OR operator (that is, /).
Workaround
  1. Generate PINs for the users.
  2. Communicate the PINs in a secure manner to the end users.
Don't see what you're looking for?