If you receive an error that is related to the RSA SecurID Authenticate Tokencodeintegration, perform the tasks listed in the following table.
General Integration Issues
Existing RSA Authentication Manager users are unable to authenticate with the RSA SecurID Authenticate app.
If a node secret is not available on the authentication agent, existing Authentication Manager users are unable to authenticate, but an error message is not displayed. For more information, see the solution that is described below.
An error message states that the node secret is not available on the authentication agent.
The node secret encrypts communication between an authentication agent and Authentication Manager.
In a new deployment, Authentication Manager automatically creates and sends the node secret to the authentication agent in response to the first successful authentication on the agent.
In an existing deployment, you might need to refresh the node secret when an administrator has cleared the node secret on both an authentication agent and the Authentication Manager instance.
You can use the Node Secret Load Utility to resolve any issues. For instructions, see the Authentication Manager Help topic Refresh the Node Secret .
Authentication fails intermittently when Authentication Manager is configured to send RSA SecurID Authenticate Tokencodes to an SSO Agent trusted realm.
In this configuration, any changes in the Cloud Authentication Service deployment require updates in Authentication Manager. For example, you can provide Authentication Manager with the updated hostname or IP address used by the RSA SecurID Access identity router. For instructions, see Repair an RSA SecurID Access Trusted Realm.
Time-based RSA SecurID tokencode and Authenticate Tokencode authentication fails, even though users are entering the correct information.
The time difference between the RSA Authentication Manager instance and the identity router is greater than 50 seconds. Make sure the RSA Authentication Manager instances and identity routers synchronize the time against the same Network Time Protocol (NTP) server.
On each RSA Authentication Manager primary or replica instance, log on to the Operations Console and select Administration > Date & Time.
To change the time on the RSA SecurID Access identity router, contact your Cloud Authentication Service administrator.
The connection between Authentication Manager and the Cloud Authentication Service repeatedly times out.
Users cannot be found in the RSA SecurID Access trusted realm.
Contact your RSA SecurID Access administrator.
The Cloud Authentication Service administrator might need to synchronize the identity source with the Cloud Authentication Service. For instructions, see the RSA SecurID AccessSSO AgentSetup and Configuration Guide.
A user who exists in an RSA SecurID Access identity source cannot authenticate with an Authenticate Tokencode.
Ask the user to authenticate again. If authentication continues to fail, then contact your Cloud Authentication Service administrator.
Cloud Authentication Service Issues When Using SecurID Authentication
Authentication fails intermittently when RSA SecurID is used as an authentication method to protect SaaS and on-premise web applications.
Authentication can fail if the static route between Authentication Manager and the SSO Agent needs to be updated. For example, update the static route if a new Authentication Manager replica instance is added, an existing Authentication Manager primary or replica instance has a new IP address, or the hostname of the identity router changes.