Why do I have to authenticate 3 times?
I have a configuration question regarding the RSA Authentication Manager v7.3.3 I just installed on a Windows 2008 R2 server. I did not install the GPO templates. I configured the authentication manger to require 2 factor authentication for a specific group of users. When I login to the server via RDP as a member of that group, I have to authenticate 3 times, first with Windows credentials, then my RSA Passcode, then Windows password again. Ideally, I would like to only login using my username and RSA passcode. Is this possible? If so, what configuration parameter did I miss?
Thank you in advance for your help.
I have moved this thread to the https://community.rsa.com/community/products/securid?sr=search&searchId=ddb326d3-30e6-42d1-b2c6-a24853ed9aca&searchIndex=0 page so you can get an answer to your question.
In the old days Microsoft login with RDP mechanism allowed that. With the new way Microsoft runs RDP and credential manager logins, there is not yet a way I am aware of, to avoid using the windows password twice.
Let me add to this...windows password integration may help (depending on your setup and 'flow')
the second windows password at the RDP destination, might be captured by the RSA windows agent on that machine, and stored on the RSA server, and replayed the next time. So, if you do enable windows password integration, in some setups, you can hide the fact a windows password is needed if the agent can fetch the stored copy, and replay it for the login you are facing. This works to alleviate the need to type in windows password, but it may or may not work for your particular setup and 'chain of login events'. But if you are not using it now, enabling it might help. It will need to ask for the windows password once to capture it, then the next time around, it might allow you through with just the token passcode while it replays the windows password silently in the background for you.
You could take a look at https://community.rsa.com/message/895107?commentID=895107#comment-895107
to get a sense of what Windows 10 is doing and how AM agent currently handles this, and why in some cases you can have three prompts.
Basically we are adding every App you might use or 'Run As' to the GPO or Registry, in order to tell Windows not to prompt for Step-up on access just because the RSA Credential Provider is on the platform