SecurID^® Discussions

Thanks. the thing is no message shows up. it just goes back to the normal screen for logon. on the AM activity monitor, it shows successfully authenticated. 

If you see successful Passcode authentication in the RSA Security Console Real Time Authentication Monitor, RTM then the passcode and userID were sent from the agent to Authentication Manager, AM.  This means there's probably another Credential Provider, CP that gets displayed or invoked - normal agent installation should make it that the RSA SecurID CP is the only one invoked.  You'll probably need verbose logs from the RSA Windows agent,

have a look at the CredentialProviderFilter(LogonUI).log or other CredentialProviderFilter(*).logs to see which Credential Providers are getting displayed.  You may need to check the App, Security and System Windows Event logs too.  It sounds like a second CP is not being successfully navigated, so should not be displayed here.  The Windows agent might actually indicate which second CP is involved here, it's name might be in the (parentheses) after the CredentialProviderFilter part of the log name, e.g. CredentialProviderFilter(consent).log can be related to the consent application part of RDP.

Tunde Sholanke‌,

For security purposes we never provide a message on the agent itself as to why authentication failed.  All messages about the success or failure of an authentication attempt are shown only in the authentication activity reports on the server.

Like Jay Guillette‌ suggested, review the logs to see which other credential providers are displayed.

Regards,
Erica

000012084 - RSA SecurID prompt does not appear when connecting with Remote Desktop Protocol RDP on Windows Server 2012 w… 

has an example of using gpedit to filter or display various Credential Providers

Thanks for this. The thing is i have done this installation on another system on the same network and it works well. I challenged all users. 

I was wondering if there is a setting i must have gone wrong. is there any documentation that shows how to install the agent and the configuration that needs to be done on the AM. just in case i am forgetting something. cos the other system works perfectly well. 

You might run gpedit on each Windows machine to compare the Credential Provider filters of the one that works fine with challenge all and the one that challenges with the RSA Credential Provider, but then another CP tags along - that is the CP that probably needs to be filtered.

how do i filter? so i found that the credential filters on both systems contain 2 credientials. RSA and A generic one. 

however, the last logon credential on the working system, is termed SIDcredentialprovider in Windows while the one for the system that is not working is showing a generic credential. 

DO i have to force the system to use RSA and how do i do that. although there must be a one time way to do this, rather than forcing the change from the registry. 

You might need to disable the generic CP on the non-working system, or exclude.

See what the Working system has SIDcredentialprovider set to; disabled or NOT filtered/excluded, and try the same on non-working system.