JamesKillilea (Customer) asked a question.
How do I configure my RSA appliance to only ask for a pin and tokencode (passcode) for my users. Currently they have to put in their AD password then authenticate with their tokens.
Related Questions
Nothing found
Loading
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to⦠RSA Release Notes: Cloud Access Service and RSA Authenticators Update an existing RSA Cloud Authentication Service Integrated Windows Authentication (IWA) Connector Identity Provider SA⦠Quick Setup Guide - Connect Authentication Manager to Cloud Access Service with an Embedded Identity Router
Don't see what you're looking for?
@JamesKillilea,
It isn't the Authentication Manager appliance that you need to configure. It is the agent through which your end users authenticate. What device are your users using for authentication (PAM agent, Windows agent, a VPN, etc.)?
Erica,
I believe we're using the windows agent. I've tried going into Group Policy and editing it but it never takes. Am i going to the right place?
Specifically, were using the RSA_GPO_AuthAgent 7.4.6
@JamesKillilea (Customer)β,
Thank you for that information. I think what you need is Windows Password Integration (WPI). WPI stores the AD password so it can be played to the OS on subsequent authentication attempts.
To enable WPI,
Now that WPI is enabled, a user would authenticate through the agent and be promoted for their AD password. The user submits the password and it is stored in the Authentication Manager database. The next time that user authenticates, they enter their user ID and passcode. The server authenticates the user then submits the AD password for authorization and the user has a successful authentication.
If the user's AD password is changed, the same process happens, but agent will prompt for a password which is then sent to the Authentication Manager database, where it is again stored for the next authentication
Erica,
So i've enabled WPI and all it seems to have done is reverse the order in which i authenticate. Where i used to put in my password first, then my RSA token code, I now do the Tokencode then password. Do i have something else enabled or configured that i shouldnt? Do i need to run a GP update?
The goal is to only use the RSA Tokencode and Pin. A lot of my users are older than 55 and our MFA requirement is met by only using the tokencode and pin. What you have and what you know. I apologize if my initial question wasnt very concise.
@JamesKillilea (Customer)β m
Hey, a lot of us olds are just as tech savvy as you millennials and Gen Z! π πππ
On authentication attempt one, are you submitting your AD password? If you then do a subsequent authentication, are you prompted to submit you AD password again? If so, then WPI is not working as expected.
Please open a case with technical support to speak with someone who can review your logs and assist with resolving the issue.
π π I wish that my older colleagues would get with the program.
Attempt one i'm submitting my Token Code and Pin, then am queried for the AD password. So its just reveresed the order in which i'm asked for information.
I will open a tech support case then.
Thank you so much for your time Erica! - James
Not all Boomers and Gen X are running out and purchasing Apple gift cards! π
Enable logging on the agent through the RSA Control Center under Advanced Tools > Tracing. Select the all components option. Edit the destination location for the file if you want.
I'd also enable verbose logging in the Security Console (Setup > System Settings > Logging) and run your test again. You can then download those logs from the Operations Console and supply them to the TSE also with the agent logs.
Erica,
Now i get to be the silly millenial! I gave you incorrect information and im not sure if it effects the problem or the solution to said problem. I am not running RSA Authentication Agent 7.4.6. I am running RSA MFA Agent for MS Windows 2.2.1.175.
Does the type of authentication manager matter for WPI? Am i even using the correct authenticator?
How do i tell RSA youre their best employee?
- James
@JamesKillilea (Customer)β ,
It took my elderly self an extra minute to gather some additional information.
We didn't talk about it, but WPI support requires that your Authentication Manager servers are using at least 8.7 SP1. Please upgrade as appropriate. Downloads are available at https://community.rsa.com/s/all-downloads/rsa-securid-downloads. Note the banner on the page that reads, "You must upgrade RSA Authentication Manager to version 8.7 SP1 before installing SP1 Patch 2. To fix the PostgreSQL database reindexing issue in 8.7 SP1, RSA recommends customer then apply AM 8.7 SP1 Patch 1 Hotfix 1 before installing SP1 Patch 2."
For your MFA agent, you will want to install MFA Agent 2.3 hotfix 1. This addresses several WPI issues. There is also a banner for the MFA agent on the Download that reads, "RSA has recently identified a defect in a limited use case scenario of RSA MFA Agent for Windows 2.3 and 2.2.x, which could potentially impact the operation of user's authentication. RSA recommends to customers who have deployed RSA MFA Agent for Windows 2.3 and 2.2.x to apply a Hotfix upgrade 2.3 HF1. To get access to the Hotfix, please contact RSA Support. When you contact support, cite internal knowledge article 000071708.
Finally, for the comment that you made about the option for AD password and passcode being switched, there is a GPO setting to switch that display order. Take a look at the information on "Prompt for Password After Multifactor Authentication," documented on page 52 of the RSA MFA Agent 2.3 for Microsoft Windows Group Policy Object Template Guide.
I am now off to find an early bird dinner . . .