The main symptom is a very slow login through the RSA Authentication Agent 7.3.3 and 7.4.x for Windows. It takes a long time for the Windows desktop to appear after the user enters their passcode. Optionally, they next enter their Windows password when prompted, if Windows Password is not enabled. Then it can still take up to five minutes until login finishes and the user can see the desktop. Sometimes the logon will timeout and return the user back to the passcode prompt.
If Windows agent verbose logging is enabled, you will see many of the following symptoms in the various logs.
2019-02-24 19:35:27.924 3188.2624 [I] [LACAuthenticator::Authenticate] User is challenged 2019-02-24 19:35:27.971 3188.2624 [V] [CommonAuthenticator::initAceClient] SD_Init succeeded. 2019-02-24 19:35:27.971 3188.2624 [E] [CommonAuthenticator::isAutoRegistrationServiceInstalled] Unable to open auto registration service: error = 0x424 2019-02-24 19:35:29.983 3188.2624 [I] [CommonAuthenticator::getTokenSerialNumber] AceGetDAAuthData success: token serial number = 2019-02-24 19:37:34.629 3188.2624 [E] [CommonAuthenticator::setWindowsPassword] AceSetLogonPW failed: aceRet = 0x7d3 2019-02-24 19:37:34.629 3188.2624 [V] [CommonAuthenticator::setWindowsPassword] Return
DASvcDpsLink::establishConnection( dpsPort=5580, dpsAddress=bb020a0a ) starts. [File:da_svc_dpslink.cpp Line:154 Family:DA_SVC ] 2019-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected starts [File:da_svc_dpslink.cpp Line:400 Family:DA_SVC_API ] 2019-02-21 20:48:44.114 1292.1520 [I] DASvcDpsLink::isConnected there is no connection returning false UserChallengeStateInfo::UserChallengeStateInfo() - Failed getting the dayfile directory from the re registry [File:challengedinfoserializedhashmap.cpp Line:19 Family:DA_SVC ] RequestDispatcher:RequestHandler error DaSvcNetworkListener::SetupNotifications nla failed DaSvcServiceMain() - The DisableDAServicePolicy indicates that the DA Service is enabled, delete the registry key which AuthAPI uses to disable the DA Service. [File:da_svc_main.cpp Line:117 Family:DPS ] 2019-02-24 19:05:18.834 1276.1320 [I] deleteDAuthDisableKey()- RegDeleteKey failed, error=2
TCP port 5580 is blocked and/or Offline Authentication is not enabled on the RSA Authentication Manager server while the Offline Authentication local service is running on the Windows agent.
Windows Password Integration (WPI) requires that the offline authentication service be enabled on the RSA Authentication Manager server. If the agent's offline service is running, but Authentication Manager primary policy has not enabled Offline Authentication, then the agent takes five minutes to login and Windows Password Integration does not work
You may need to install the latest RSA Authentication Agent 7.3.3 build 99 from 2018 or later, but also make sure TCP port 5580 is open from the agent to the server, or disable the offline service on the agent. Login time will then take only 30 seconds.
If you need Windows Password Integration, do not disable the offline service local on the Windows agent. Leave it running but allow it to work by enabling Offline Authentication on the primary Authentication Manager server by logging into the Security Console and navigating to Authentication > Policies > Offline Policy. If you need Windows Password Integration, you need to enable both Offline Authentication and Windows Password Integration in Authentication Manager.
As a workaround, disable Windows Password Integration, offline days and the Windows local offline authentication service to prevent the agent from attempting to contact the Authentication Manager server on port 5580.