Why am I getting an "Agent Integration Error" message when logging in to RSA Link or myRSA?
RSA Product Set: RSA Link (community.rsa.com), myRSA (my.rsa.com) Platform: Google Chrome, Microsoft Internet Explorer, Microsoft Edge, Mozilla Firefox
On occasion, RSA Link users will see an “Agent Integration Error” message on their browser after successfully authenticating to RSA Link or myRSA.
In most cases, the Agent Integration Error is caused by a problem on the user’s side. Something in their network (incorrect configuration on a web proxy, etc.) may be interfering with the secure connection. RSA does not have any visibility into the user’s system and therefore will not be able to pinpoint the cause of the issue.
If the user tries Firefox, they may see a Firefox error “connection not secure”, which can be caused by several things. While it can be caused by a problem on the RSA Link side (like the error says), this is usually not the case and generally the cause is the same network-related issue as with the IE and Chrome failures.
This can be verified by the user accessing RSA Link (https://community.rsa.com) from a machine outside their company’s network. If it works then it can be concluded the issue is something within the company’s environment for that user. They would then need to work with their internal IT department to troubleshoot the issue.
RSA Link Login Process
The steps below describe the login process for RSA Link.
After the user successfully authenticates, the system redirects them back to the original URL from Step 1 and the user arrives at the desired website.
The Agent Integration Error indicates that the 3rd step encountered an issue. The user did log in successfully (credentials were verified) but the redirect to the RSA website has failed. In every case that has been reported thus far, this failure was caused by a problem on the user’s side.
Browser cache issues can potentially interfere with the redirect. This is easily resolved by clearing the cache and cookies. The keyboard shortcut Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac) is used to access the cache options in most browsers.
The user's network security settings may be interfering. If they have restricted the RSA URL then this will block the redirect process. Other issues have also been seen where the user's web proxy has been incorrectly configured -- or at least in a way that prevents the redirect from completing successfully.
This last example (network configuration issue) seems to be the most common. Users can verify it by accessing the RSA Link website from outside their company’s network. If it works properly from outside then this confirms that the problem is somewhere within their network.
It is important to note that the redirect only occurs on the user's end and therefore no logs are captured by RSA to report the issue. RSA has no systemic visibility into these failures and is unable to detect when they are experienced by users.
In order to resolve the networking issue that results in the Agent Integration Error, the user should contact his or her IT service desk and request that the network security team whitelist the rsasecurity.com and rsa.com domains so that traffic for the authentication process will be uninterrupted.
A workaround exists which will allow the user to log in while their IT department troubleshoot the root issue. This workaround is to log on by using the Need to Token Authenticate? link on the login page.
The token authentication process does not use the automatic redirect and therefore the user will not be affected by the "Agent Integration Error" issue.
There are two options for using this token process:
The user can log in with their On-Demand Authentication (ODA) credentials, entering their ODA PIN into the Passcode field. This will trigger an SMS text message to be sent to the user's mobile phone with a tokencode, which can then be used to complete the authentication and enter the website. If the user hasn't yet set up On-Demand Authentication (ODA), they can do so in the RSA Self-Service Console.
If the user is unable or unwilling to use On-Demand Authentication (ODA) then they can request an RSA SecurID token instead. RSA would need to manually assign and shop a hardware token to them. Once they receive it, they can follow the standard RSA SecurID authentication process to log in. (i.e. The user will click on the "Need to Token Authenticate?" link mentioned above.) In this situation, the user must provide their office address for the shipment. (RSA cannot ship to home addresses or post office boxes.)