Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x
Originally Published: 2015-10-21
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: IBM WebSEAL 6.1.1.x
Platform (Other): IBM Security Access Manager (formerly called IBM Tivoli Access Manager)
Issue
- Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x.
- If the token is not in Next Tokencode Mode or New Pin Mode, authentication is successful.
- Underlying the IBM WebSeal is the RSA Authentication Agent for PAM.
- Both Next Tokencode Mode and New PIN Mode work as expected with the PAM acetest utility.
- Therefore, the problem is specific to using WebSEAL.
Cause
Resolution
- Create a new setting in the WebSEAL configuration.
create-unauth-sessions = yes
- Restart the WebSEAL application.
This will allow for successful authentications when a token is in either Next Tokencode Mode or New PIN Mode.
Notes
If consulting with IBM Support, reference IBM PMR 40092,122,000 for more information.
Related Articles
Cisco Router with IOS 12.2(2)XB/12.2(4)T or later unable to handle New PIN Mode and Next Tokencode Mode Authentications th… Number of Views How long can an Agent wait to send a next tokencode or new pin message? Number of Views RSA SecurID end users setting their own PIN or next tokencode on a VPN connection Number of Views How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing on SecurID Authentication Manager … Number of Views New PIN and next Tokencode modes fail when dialing through a Cisco NAS Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
