RSA MFA Agent Offline Authentication is not working prompting an error "Offline authentication is not available. Wait 60 seconds and try again"
Article Number
Applies To
RSA Product set: SecurID
RSA Product/Service Type:
a. MFA Agent for Microsoft Windows (2.2.x and above)
b. RSA AM (8.7 SP1 and above)
RSA Product/Service Type:
a. MFA Agent for Microsoft Windows (2.2.x and above)
b. RSA AM (8.7 SP1 and above)
Issue
Cause
[Local: 2023-11-10 09:17:53.141] 2023-11-10 15:17:53.141 3600.92 [I] [RSA.Authentication.Offline.Services.DayFileSvc.IsOfflineFilesAvailableForUser] Domain_Name\UserID is not enabled for offline authentication
[Local: 2023-11-10 09:22:05.861] 2023-11-10 15:22:05.861 3600.62 [W] [RSA.Authentication.EventLogging.RsaEventLogger.WriteWarning] Failed to download offline data for the user. WPI certificate not available. Please contact the Administrator.
[Local: 2023-11-10 09:22:05.717] 2023-11-10 15:22:05.717 3600.62 [E] [RSA.Authentication.Offline.Services.Security.JWTHelper.GetCertificate] Agent instance certificate not found in the store.
[Local: 2023-11-10 09:22:05.777] 2023-11-10 15:22:05.777 3600.62 [E] [RSA.Authentication.Offline.Services.Security.JWTHelper.GetJwtToken] Failed to get Agent instance certificate from the store.
If the WPI is enabled in the offline policy in the RSA AM Security Console:
- Login Page: The user will enter both the LDAP password and the token code on the first successful authentication. The offline days will be downloaded as a combination of the LDAP password and the token codes that can be used in the next 14 days (as per the number of days configured in the policy)
- Test Utility: It will prompt an error that the request sent should contain the LDAP password and the token code, not the token code only resulting in an error "Offline authentication is not available. Wait 60 seconds and try again"
Resolution
1. Delete the offline data folder
2. Disable the WPI from the offline policy in the RSA AM security console (if it is not being used by the customer)
3. Do online authentication followed by offline authentication
- If you are planning to use the WPI:
1. Make sure that Enable RSA Authentication policy is enabled which means that the user that you are testing with is located in a challenged group
2. Log off the Windows machine
3. Log in again with the same user that you were using in the RSA MFA test utility
4. When you access the machine again, do online authentication followed by offline authentication via the RSA MFA test utility
Expected Result: Successful authentication and the offline days were downloaded successfully which are then used in the offline authentication
