This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
DennisRobare
Beginner
Beginner
‎2016-04-18 01:08 PM

windows 7.2.1 agent lockout

Hello,

 

I am trying to install the latest Windows agent (7.2.1) on Win2012R2 and set it to challenge all users and am locked out. It appears the node secret was not set prior to a reboot and now the authentication is failing. Is there any way I can remove the strong authentication prompt or at least add the normal MS windows credentials back to the logon options?

 

Thanks,


Dennis

0 Likes
Reply
6 Replies
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
‎2016-04-18 01:19 PM

Boot Safe mode in Windows is easiest.  Or maybe Emergency access.  once in you should do at least 2 successful Test Authentications from the RSA Control Center - this creates the node secret and proves that the node secret can be read.  sometime UAC prevents the node secret from being written in Windows.

0 Likes
Reply
DennisRobare
Beginner
Beginner
In response to JayGuillette
‎2016-04-18 03:43 PM

Thanks Jay,

 

We are just restoring the backup from yesterday. They are test servers anyways. Here is a second question based on this scenario. Our users have two different accounts from two different domains. The RSA dialog box allows a user to enter his one account (with token assigned). Then the windows password for the same account is required. Unfortunately the account with server rights to login is not the same as the account with the token assigned. Can we drop the Integrated Windows Authentication (assuming here) that is passing the account username from the RSA dialog to the windows dialog?

 

Thanks,

 

Dennis

0 Likes
Reply
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
In response to DennisRobare
‎2016-04-18 03:53 PM

Dennis,

Auth Manager is not generally concerned with Domains, just UserIDs (typically SamAccountNames), and Windows Password integration is designed to store a Windows Password (actually an MD5 hash of) for a particular user in our AM database in order to provide this as a kind of SSO with Windows AD.  It is not required, but can be configured by Policy (offline policy - yeah go figure!)

Some customers will configure an Authentication Manager Alias to an Account, so that both Windows Accounts could use the same token, but of course their Windows Passwords would conflict.  sounds like you just need to not use Windows Password integration

0 Likes
Reply
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
‎2016-04-18 03:55 PM

You might try to get creative, assign an alias to the UserID with the token, that is the other AD account, and try to have just one of these accounts store their Windows Password - but that might be a little too creative

0 Likes
Reply
DennisRobare
Beginner
Beginner
In response to JayGuillette
‎2016-04-18 03:58 PM

Hey Jay,

 

I will check into the alias idea. That may help us, but if we could disable the integrated window auth at the agent that would be easier I think.

 

Can we do this? How do we disable windows password integration? That may also be an option.

 

Thanks,

 

Dennis

0 Likes
Reply
DennisRobare
Beginner
Beginner
In response to JayGuillette
‎2016-04-19 07:34 AM

Thanks, I will see what I can do.

 

Dennis

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.