This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
JamesFreid
Beginner
Beginner
‎2021-01-27 02:07 PM

Windows Password not syncing

We have Windows Agent 7.4 and it prompts for Windows Password after using SecureID everytime even though the only Offline Authentication Policy has Windows password integration enabled .

 

in the AuthFW log there is an entry - Unable to set Windows Password on LACAuthenticator - error = 0xd

 

Cant seem to get rid of Windows asking for a password.

Labels (1)
Labels
0 Likes
Reply
8 Replies
JayGuillette
Contributor Contributor
Contributor
‎2021-01-27 02:40 PM

Go to the user in the Security Console, from the drop down and View Associated Policies.

SC-Identity-Users-AssociatedPolicies.png

Make sure the user really does have the Offline Policy with Windows Password Integration enabled.

 

If the Policy is associated to the user and is enabled for Windows Password Integration, next you want to look at the Authentication Settings for this same user, to see if the Windows Password for this user has been cached, which means that AM has learned the User Windows Password and can present it to Windows during Windows Authentication Agent logon (after the Passcode).

SC-Identity-Users-AuthSettings.png

 

So if there is more than one Offline Policy, you have to make sure the right policy applies to this particular user, AND if that is true, next you need to see if AM has learned that Windows Password, which would be true if you can clear it from the User's Authentication Settings.  If the Clear cached copy of selected user's Windows credentials is grayed out, and you cannot check the box, that means there is not a cached copy of this Password, and if that is the case, then there is some problem either with TCP ports like 5580 being blocked between the agent and the AM servers.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to JayGuillette
‎2021-01-27 02:48 PM

One thing to check, if this user login is an Alias, there will be 'contention' between the Windows Password for the real userID and the Alias UserID.

An Alias is a way for a person with two UserIDs, e.g. joe and joeAdmin to share a single token, by making one UserID the 'real' userID and the other to be an Alias of that real user ID

https://community.rsa.com/docs/DOC-46943 

0 Likes
Reply
JamesFreid
Beginner
Beginner
In response to JayGuillette
‎2021-01-27 02:58 PM

Thanks for the response...

 

It looks like my settings are correct.  My screens are a bit different but everything checks out. I have the Clear cached copy check box and the Policy is applied with the setting.  But it still prompts me for the windows password.

 

One think to note. Our original Security domain has our user ids with the @domain in them and that userid has the SecureID assigned to it. That userid didnt work on Windows. We created another sync group to add as an alias to the userid@domain that didnt have the @domain in the username field.

 

IDK if that makes sense.  But my user id that has the token ends in @domain and has an alias that doesnt but is part of its own User Group.  We might not be doing that right but it allows me to login to Windows. lol

0 Likes
Reply
JamesFreid
Beginner
Beginner
In response to JayGuillette
‎2021-01-27 03:16 PM

Well...we responded at the same time.LOL So now Im thinking we have the alias setup wrong somehow (or it just cant be easy).  The userid with the @domain in it (the original synch from AD) will not allow me to login to Windows.  I was playing around with Aliases when another admin suggested creating another identity source from AD and attach it my userid@domain as an alias. 

 

We are trying to make the administration of this as simple as possible...avoiding having to go into each Windows Authentication Agent and manually adding the aliases.

 

So how do people manage userids that only work on some machines when they have the @domain in them and other machines that cant have that in the userid?  Is there a slick setup with no extra manual intervention for that?  We will be adding lots of Windows machines soon so trying to keep it easy.  They are set to auto register so we were hoping the rest would be automatic as well.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
‎2021-01-27 04:16 PM

The symptom "Unable to set Windows Password on LACAuthenticator - error = 0xd" indicates an alias problem with the windows Password.  You might need to open a support case to investigate further. This investigation might include running SQL queries to see if the two UserIDs, the UPN and the SamAccountName (the one with the @domain and the one without) to see if there are two and if they both point to the same ObjectGUID.  The ObjectGUID is stored as a field called exuid, so that every time that UserID is looked up in the AM Security Console or an Authentication.

 

SELECT loginuid, exuid, authenticator_bit_flags FROM rsa_rep.IMS_PRINCIPAL_DATA ipd
WHERE authenticator_bit_flags IS NOT NULL;

or for one userID
SELECT loginuid, exuid, authenticator_bit_flags FROM rsa_rep.IMS_PRINCIPAL_DATA ipd
WHERE loginuid = "<userID>";

Reply
JamesFreid
Beginner
Beginner
In response to JayGuillette
‎2021-01-28 01:13 PM

Thanks for the help.  I definitely think there is alias conflict. We have opened a ticket to figure out how we should be doing this.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to JamesFreid
‎2021-01-28 02:40 PM

Yeah, you are going to have to get into the weeds on this one.

If there is anything you can share after solving this, post it back here.  Thanks.

0 Likes
Reply
JamesFreid
Beginner
Beginner
In response to JayGuillette
a month ago

Here is the solution I found....  

https://community.rsa.com/docs/DOC-46951

 

Towards the bottom - Domain Name Mapping was the key.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.