I opened a case with RSA and spent a few hours on the phone.

We verified on the agent logging that WPI (Which you can search for in the log) was enabled was failing to fetch the password.

We tried setting after setting with no luck. (Click Expand to Read More)

At one point I had tested manually adding a agent with a machine name (FQDN) and IP. This is what we used for testing. When it seemed like we got nowhere I was fiddling with things and re-enabled the policy that gave all the agents the same name and re-created the agent on the Security Console for that generic name.

This caused it to work again? The Technician mentioned that I may have been in the wrong for giving the agent name a IP in the earlier test. Not sure.

I am slowly rolling this out as we speak and the Windows Password Integration (WPI) does appear to be working.

Some other notes:

-WPI Is enabled on the Appliance (Authentication->Offline Authentication Policy). I did enable both the WPI and Offline Authentication. Previous Version did not need Offline Authentication

-The account that "Joins" the RSA Appliance to my AD Domain does not have admin privileges to the domain. Only Read rights. (RSA If you are reading this please update your documentation to state what permissions the appliance actually needs. I only found references to "Consult your windows admin".

-I am not using the cloud authentication products.

All,

If you've not already, please try:

• Run gpupdate /force on the MFA machine, then review the SIDAccessCredentialsProvider(loginUI).log again for that Enable WPI status flag. If you see it is now True, try authenticating through the agent again.
• Is the MFA agent in a security domain that has WPI enabled in the Offline Policy applied to the security domain?