When a user with a token in New PIN Mode tries to authenticate through a Citrix Access Gateway to RSA Authentication Manager 8.x, authentication fails even though the correct tokencode is entered and the PIN being created is compatible with the defined token policy that allows for a user-created PIN.
In the On-Demand Authentication (ODA) scenario, the user is not getting the email or SMS with the tokencode after entering the correct PIN. Below is a detailed description of the issue:
The user connects to the Citrix portal, and is prompted for his user ID, tokencode or PIN (if using ODA).
The user is asked to create a new PIN then prompted to re-enter the PIN.
Citrix responds that the new PIN has been accepted and to wait for the tokencode to change, then enter the new passcode (PIN + tokencode) and click Submit.
When the user enters the next passcode, an Access Denied message displays.
Citrix, the RSA Partner group and RSA Continuing Engineering all state that this behavior is how Citrix and ODA are designed to work.
The user should enter the new PIN that was just created at the prompt stating "PIN Accepted. Wait for token to change, then enter the new tokencode."
Below are several options to have this work
The securid.ini file that handles the messaging can be edited so that the steps users need to take are more clear. Editing this file will change the messaging seen by users to all RADIUS clients. Citrix article CTX124374 on how to modify the RSA token prompts displayed by NetScaler Gateway has information on how to make the required changes to the securid.ini directly on a Windows server. RSA Authentication Manager admins can make the change through the Operations Console using the steps below.
Login to the Operations Console.
Select Deployment Configuration > RADIUS Servers.
Click on the drop-down next to the RADIUS primary and choose Manage Server Files.
Click on the arrow next to the securid.ini file and select Edit.
Following the steps in the Citrix article above, edit the ExtInputNextCode value, the ExtOutputChange value or both. Note that there is a 255-character maximum for the message.
When done, click Save and Restart RADIUS Server.
Repeat steps 1 through 6 for any replicas in the deployment.
Refresh the Citrix webpage after setting the new PIN. The user can typically authenticate normally with the passcode (PIN+tokencode).
In the case of ODA, refreshing the page will trigger a new email or SMS that will be sent to the user.
Citrix has raised a defect for this issue (TSK0534888). If the customer is not satisfied with the workarounds provided, we recommend opening a ticket with Citrix support.