cannot login after installing and testing windows agent on PC
I have installed th authentication manager and also added an agent on the server from a PC. After installing the Windows agent and configuring it, i tested the connectivity to the AM and it was successful. however, when i try to login with the passcode and token, it gives me no particular error but just returns to the login page. I also noticed another thing that is it duplicates the name account login (one will have normal windows sign on logo and the other will have RSA logo). something like this.
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
When you try to authenticate with the new agent, are you seeing any failed authentication messages on the RSA Authentication Manager server? To do so, please read View Messages in the Activity Monitor. Messages here can help identify why authentication is failing.
When you set up the agent, do you recall setting up a challenge group for users? If so, what users are being challenged? See page 28 of the RSA Authentication Agent 7.4 for Microsoft Windows Group Policy Object Template Guide (English) for more information.
Thanks. the thing is no message shows up. it just goes back to the normal screen for logon. on the AM activity monitor, it shows successfully authenticated.
If you see successful Passcode authentication in the RSA Security Console Real Time Authentication Monitor, RTM then the passcode and userID were sent from the agent to Authentication Manager, AM. This means there's probably another Credential Provider, CP that gets displayed or invoked - normal agent installation should make it that the RSA SecurID CP is the only one invoked. You'll probably need verbose logs from the RSA Windows agent,
have a look at the CredentialProviderFilter(LogonUI).log or other CredentialProviderFilter(*).logs to see which Credential Providers are getting displayed. You may need to check the App, Security and System Windows Event logs too. It sounds like a second CP is not being successfully navigated, so should not be displayed here. The Windows agent might actually indicate which second CP is involved here, it's name might be in the (parentheses) after the CredentialProviderFilter part of the log name, e.g. CredentialProviderFilter(consent).log can be related to the consent application part of RDP.
For security purposes we never provide a message on the agent itself as to why authentication failed. All messages about the success or failure of an authentication attempt are shown only in the authentication activity reports on the server.
Like Jay Guillette suggested, review the logs to see which other credential providers are displayed.
has an example of using gpedit to filter or display various Credential Providers
Thanks for this. The thing is i have done this installation on another system on the same network and it works well. I challenged all users.
I was wondering if there is a setting i must have gone wrong. is there any documentation that shows how to install the agent and the configuration that needs to be done on the AM. just in case i am forgetting something. cos the other system works perfectly well.
You might run gpedit on each Windows machine to compare the Credential Provider filters of the one that works fine with challenge all and the one that challenges with the RSA Credential Provider, but then another CP tags along - that is the CP that probably needs to be filtered.
how do i filter? so i found that the credential filters on both systems contain 2 credientials. RSA and A generic one.
however, the last logon credential on the working system, is termed SIDcredentialprovider in Windows while the one for the system that is not working is showing a generic credential.
DO i have to force the system to use RSA and how do i do that. although there must be a one time way to do this, rather than forcing the change from the registry.
You might need to disable the generic CP on the non-working system, or exclude.
See what the Working system has SIDcredentialprovider set to; disabled or NOT filtered/excluded, and try the same on non-working system.