RSA Product Set: RSA ID Plus
RSA Product/Service Type:
RSA Cloud Authentication Service
RSA MFA Agent for Microsoft Windows
Version(s): All supported versions
After Providing the correct credentials for accessing a protected resource. it takes around 5 seconds or more to get the MFA prompt for additional authentication.
One possible reason for this is the time it takes for location collection.
After user id and password are entered, the RSA MFA Agent for Windows uses various underlying Microsoft Windows operating system services to process the authentication, e.g. to check the password, fetch the user's group membership information and fetch computer location information. A noticeable delay after user id and password is entered will usually mean slow response from one or more of those Windows services.
For example, when fetching location information, the default timeout that the MFA Agent will wait for Microsoft Windows to return the location (latitude and longitude) of the computer, is 5 seconds. So, the Agent may have to wait up to 5 seconds for location information to be returned.
To find the reason for a delay, in RSA MFA Agent GPO Policy, configure the "Specify Logging Options" policy to set Log Level to Verbose and select all components to log. Reproduce the issue, then review the event time stamps in the applicable MFA Agent log to find the point where delay(s) have occurred.
Example SIDAccessCredentialProvider(LogonUI).log events showing location collection failing due to timeout, which is set to the 5 second default:
[Local: 2025-01-23 15:43:00.453] 2025-01-23 20:43:00.453 3736.1 [I] [RSA.Authentication.EventLogging.RsaEventLogger.WriteInfo] System can access location data because location service is on for this computer for user 'xxxx'.
[Local: 2025-01-23 15:43:00.457] 2025-01-23 20:43:00.457 3736.1 [V] [RSA.Authentication.EventLogging.RsaEventLogger.WriteInfo] Return
[Local: 2025-01-23 15:43:05.441] 2025-01-23 20:43:05.441 3736.1 [V] [RSA.Authentication.EventLogging.RsaEventLogger.WriteWarning] Enter
[Local: 2025-01-23 15:43:05.444] 2025-01-23 20:43:05.444 3736.1 [W] [RSA.Authentication.EventLogging.RsaEventLogger.WriteWarning] Unsuccessful collection of location from this computer for user 'xxxx' within the specified timeout.
Location collection is only needed if Trusted Location is used in Condition Attribute(s) in the Access Policy used by the MFA Agent.
- If Trusted Location is not used in that Access Policy, location collection should be disabled in the MFA Agent. That will eliminate any delay due to location collection.
- If Trusted Location is used in that Access Policy, you can adjust the maximum amount of time that the MFA Agent will wait for location to be collected by Microsoft Windows.
To disable location collection, edit the GPO Policy "Collect system attributes for Cloud Authentication Service access policy" and set it to Disabled. Note that if that GPO Policy is set to "Not Configured" or "Enabled", the MFA Agent will still initiate location collection.
To adjust the maximum time that the MFA Agent will wait for location to be collected, edit the GPO Policy "Specify Location Collection Timeout".
If the MFA Agent triggers location collection but Windows does not return the location details within the timeout period, the Cloud Authentication Service will treat user location as "not trusted". Depending on rules and conditions set in the access policy, login may be challenged for MFA or denied when location is "not trusted".
The following GPO policies manage location collection for the RSA MFA Agent for Windows:
- Collect system attributes for Cloud Authentication Service access policy
- Specify Location Collection Timeout
For details about these two policies, refer the RSA MFA Agent for Microsoft Windows Group Policy Object Template Guide for your MFA Agent version.
Refer the following RSA Cloud Authentication Service online help for information about location use in access policies:
- Section "Trusted Location Attribute" on page Condition Attributes for Access Policies.
Location data is not available to the MFA Agent when the Windows computer where the Agent is running is incapable of providing it, or where location collection is disabled in Microsoft Windows itself. Refer Microsoft documentation for your Windows version, for more information about enabling/disabling location privacy settings in Windows.
Related Articles
RSA Authentication Agent for Web for IIS protecting Microsoft Outlook Web Access (OWA) with single sign-on (SSO), but gett… Number of Views RSA MFA Agent 3.x AD FS for Windows Not Prompting for MFA on Test Page Number of Views Enable a web proxy for RSA MFA Agent for Microsoft Windows Number of Views Getting started with the RSA SecurID Access Cloud Authentication Service Number of Views Change Requests fail with 'Error getting UniqueID The UniqueIDUpdateService returned a null value' error in RSA Identity G… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
