GE (Customer) asked a question.
Hi, we have a few testers that upgraded from the old RSA Authentication client 7.4.2 to the new RSA MFA agent 2.3.5. We also upgraded our AM server to 8.7 SP1. Right off the bat, we have noticed a significant delay when signing into our machines. So with this new RSA MFA agent, the logon window transitions to a new RSA splash screen where you enter OTP credentials. This is fine, but the transition takes anywhere from 8 - 15 seconds to get to that splash screen. Where as before, with the RSA Authentication client 7.4.2, it was an immediate logon after OTP credentials - no waiting! Is this normal now that we have the RSA MFA agent? Has anyone else experienced excruciatingly long logon times?
And sometimes, very randomly, after entering OTP from my mobile device for logon, my machine will also ask for my Windows credentials. Has anyone experienced this? We have checked and triple checked our GPO and all settings are properly set.
We've noticed the random password requests with the MFA Agents, but we've also noticed that the MFA Agents were significantly faster, in our environment, than the legacy SecurID Agents.
On my 2022 servers I get the user name/password prompt for about 10 seconds before going to the RSA token screen. Not sure how to get rid of that.
seeing same 10 second delay with an unexpected odd "Unknown User" login screen appearance prior to the eventual presentation of the RSA Auth screen - no interaction is done with the intermediate screen and it goes away on its own
yes, and I've got an open support case for just this undesired behavior - we haven't yet fully rolled out the MFA (v2.3.5.181) to replace the RSA Authentication Agents - testing issues like this are keeping us from moving forward to MFA - this feels like a significant downgrade in functional agility and users need predictable experiences ...hoping support identifies root cause and sorts this out
WinSvr2022
RSA AM v8.7 SP2 Patch3
MFA agent 2.3.5.181
After implementing this single GPO setting change we eliminated a great deal of the delay. RSA Support engineer, Saif, found repeated log info regarding location info collection and this was the clue that led to the solution. Under the Computer Configuration->Administrative Templates->RSA Desktop -> RSA SecurID Access Settings policy ...Set Disabled the "Collect system attribute for Cloud Authentication Service access policy".
My company doesn't use a CAS in our architecture and so this seemed not applicable. Consequently it was left "not configured". Unfortunately this GPO setting is designed that the default behavior has the agent attempt to collect and send IP address and longitude and latitude data to a CAS. This effort causes the delay. Support submitted to alter this default in the future ...but for now you have to implicitly set it to Disabled.
I can confirm the changes you recommend do the trick..
I set to disable. ""Collect system attribute for Cloud Authentication Service access policy"
Under : Computer Configuration->Administrative Templates->RSA Desktop >> RSA Settings >> Collect system attribute for Cloud Authentication Service access policy..
Thanks
That did not work for me. I get a grayed out log in prompt for about 10 seconds then the RSA token screen.
after implementing this change and confirming through rsop.msc that the GPO setting was in fact applying to the target server, I ran the RSA MFA Agent Test Auth tool ...the RSA login screen appeared nearly instantaneously - when RDP connections were made I still see a 2-3 second delay ...much improved from 8-12 seconds as it was before.
I'm continuing the case to work towards getting the MFA Agent newly introduced 2-3 second delay reduced as this is a process impact that our company isn't ready to live with. The RDS users will have strong emotional reactions to installing software that produces a delay in their workflow activity that wasn't there before ...they use RSA logins frequently throughout the day.
Hey all! Thanks for the help here! After several tech support calls and attempts to fix this, we've found a pretty solid GPO configuration that helps with this slowness. I'm going to call out the important GPO options that really affected us.
This combination, outside of whatever else you need configured, is a pretty solid setup to help with slow logins.
all of these do seem to be helpful - I've also added the weighted Round Robin authentication setting
after implementing every above setting through local group policy and testing - my delay is still several seconds - which is unfortunate