windows 7.2.1 agent lockout
I am trying to install the latest Windows agent (7.2.1) on Win2012R2 and set it to challenge all users and am locked out. It appears the node secret was not set prior to a reboot and now the authentication is failing. Is there any way I can remove the strong authentication prompt or at least add the normal MS windows credentials back to the logon options?
Boot Safe mode in Windows is easiest. Or maybe Emergency access. once in you should do at least 2 successful Test Authentications from the RSA Control Center - this creates the node secret and proves that the node secret can be read. sometime UAC prevents the node secret from being written in Windows.
We are just restoring the backup from yesterday. They are test servers anyways. Here is a second question based on this scenario. Our users have two different accounts from two different domains. The RSA dialog box allows a user to enter his one account (with token assigned). Then the windows password for the same account is required. Unfortunately the account with server rights to login is not the same as the account with the token assigned. Can we drop the Integrated Windows Authentication (assuming here) that is passing the account username from the RSA dialog to the windows dialog?
Auth Manager is not generally concerned with Domains, just UserIDs (typically SamAccountNames), and Windows Password integration is designed to store a Windows Password (actually an MD5 hash of) for a particular user in our AM database in order to provide this as a kind of SSO with Windows AD. It is not required, but can be configured by Policy (offline policy - yeah go figure!)
Some customers will configure an Authentication Manager Alias to an Account, so that both Windows Accounts could use the same token, but of course their Windows Passwords would conflict. sounds like you just need to not use Windows Password integration
You might try to get creative, assign an alias to the UserID with the token, that is the other AD account, and try to have just one of these accounts store their Windows Password - but that might be a little too creative
I will check into the alias idea. That may help us, but if we could disable the integrated window auth at the agent that would be easier I think.
Can we do this? How do we disable windows password integration? That may also be an option.