This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Mikey
Contributor
Contributor
‎2020-07-07 01:45 PM

Cannot login as local Administrator with RSA AM Agent for Windows 7.4.3

Our agents are setup to work with hardware tokens.

 

With 7.3.3 on Windows 7, no problem login as local administrator using name (.\administrator) and password. 

 

But with Windows 10 and agent 7.4.3, login as local administrator always fail with a brief 'Authentication failure' error message. 

 

My test show that If the agent is uninstalled, local Administrator login works immediately; but if agent is installed back, local logins fails again.

 

This shouldn't be happening, but I cannot find similar issues after searching around.  Appreciate any help on this.

0 Likes
Reply
9 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-07-07 03:34 PM

Mike,

You might need a support case to get to the bottom of this problem, but in general terms you would enable verbose logging either in RSA Control Center 

verbose_all.png

or GPO

It's best to select all logs, but what you would look at in general would be;

- SIDAuthenticator(LoginUI).log for challenge, to determine if the local admin were challenged or not, and if challenged, did they successfully authenticate.

 

There can be other versions of the SIDAuthenticator( ).log with whatever in parenthesis being the app using SecurID.  Sometimes you are just trying to figure out if user is challenged, and if they got their authentication request to an AM server.  You typically watch the AM Security Console - Reporting - Real Time Monitor, Authentication Monitor

SC-Reporting-RTM-AuthActivity.png

to watch in real time, or an Authentication Activity Report to see after the fact.

Things can get complex when you are no longer using the console or Microsoft RDP, but some third party remote console app, which should show up inside the  parenthesis of one of the SIDAuthenticator( ).logs.  We've seen various configuration and/or interoperability issues.

You might need to add remote console apps as an RDCFileName in either the registry or GPO

https://community.rsa.com/docs/DOC-58298  

Reply
Mikey
Contributor
Contributor
In response to JayGuillette
‎2020-07-07 08:19 PM

Thanks Jay for the tips on setting up logging. 

 

My tests so far is directly on these newly setup Win 10 workstations, not through rdp or complicated setup.

 

I also tried testing with the network cable disconnected to simulate a network issue where an administrator will need to login locally with the local Administrator account, but even this was also blocked by the agent.  I worry if in a real disaster scenario, we will all be lockout from the workstations with no way of getting in.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to Mikey
‎2020-07-08 01:17 PM

Some things to consider, if you cannot boot safe mode to sneak an Admin in with a Password;

Challenge All except local Admin: This would be always on, so it would be there before the emergency disaster scenario, so make sure this admin name and password are both complex and secret. The local Admin is exempt from RSA challenge, so only Windows or AD password is needed.

Offline Days: designed for laptops, basically when on Corp LAN or via VPN the laptop downloads offline days (up to 99) which is an encrypted block of tokencodes for every minute of those days, so that when laptop user is at home or hotel, they can actually logon locally with a real Passcode, so that they can get into Windows, and access VPN.

Emergency Access: Is designed for when someone loses their token, so they need a kind of single tokencode to authenticate now. Comes in 2 flavors; online where they are on the network and call help desk who tells them the one time code over the phone, or offline, which works with Offline Days but includes an emergency code in the encrypted block of offline tokencodes.  So you have to set this up before you go offline.

Reserve Password: for Challenged Administrator to bypass Password requirement, with a password that goes to AM.  Must be setup on each Windows platform via RSA Control Center or GPO. This might be your best option for your disaster scenario for Windows Servers that remain on the network but the network is down.  It's documented in the Agent Admin & Install Guide.  If the Windows agent cannot contact the AM servers, and a Reserve Password is configured, you will be prompted for a Reserve Password.

Reply
Mikey
Contributor
Contributor
In response to JayGuillette
‎2020-07-16 04:54 AM

Hi Jay,

 

[Challenge All except local Admin] is what we have been relying on, has been working in Win7 but not Win10.  Based on my tests here, imho I believe this is a issue with the Agent and Windows 10.  Also version of the Agent doesn't matter, installing the older 7.3.3 agent on Windows 10 = same problem = local admin accounts cannot login. 

 

This screencap from 'Challenge Users' screen of Win10 & Win7, clearly show the differences in the agent behavior.  The Win7 screen should be the correct one and working as expected:

 

Win10 vs Win7 'Challenge Users' screens.jpg

 

The Win10 settings are also strangely grayed-out and has led the initial engineer to wrongly assume a GPO issue when there are none in place. 

 

I'm now waiting for a senior engineer to take on this case after escalation.

0 Likes
Reply
MarkBell
Contributor Contributor
Contributor
‎2020-07-16 08:27 PM

Hi Mike

Is the Win 10 a member of a domain?

The Win 10 settings being greyed out implies that a RSA Authentication Agent for Windows GPO template is in use.

To investigate further please open a command prompt with 'Run as administrator' and enter the command gpresult /user administrator /scope computer  /h gpo.htm /f

Return group policy results (gpo.htm) to your open case for review.

 

Regards Mark

0 Likes
Reply
Mikey
Contributor
Contributor
In response to MarkBell
‎2020-07-17 02:54 AM

Yes, both Win7 & Win10 desktops are member of a domain (single forest, single domain).  They are also in the same OUs.

 

I will only be able try the gpresult command next week.

 

But looking at the agent logs collected from Win7 and Win10 so far, strongly suggest no policies in place - "Unable to open policy key":

2020-07-17 1415_00-cmd.png

 

Also the logs suggest the Win10 agent is looking at the domain group whereas Win7 is correctly working with the local group:

 

( Long snippet with slight redaction from logging of my login as local ".\administrator".  Fyi, ACMEDOM is domainname and TESTPC/TESTPC2 are computername 😞

 

$ grep -ir 'Group'
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [LACPolicies::getChallengeGroupSAMNamePolicy] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [LACPolicies::getChallengeGroupSAMNamePolicy] The Challenge Group sAMAccountName policy is ACMEDOM\Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [LACPolicies::getChallengeGroupSAMNamePolicy] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::getChallengeType] Challenge settings. challengeGroup is: ACMEDOM\Administrators challengeMode is: 0x3
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::checkUserInGroup] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsing fullGroupPath = ACMEDOM\Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsed result: groupDomainORworkstationName = ACMEDOM, groupName = Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::checkCachedSettings] Returning userLocation = LOCATION_UNKNOWN, domainORworkstationName = TESTPC2, userName = administrator, fullGroupName = ACMEDOM\Administrators, bStaleResult = true
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::queryAdsiForUserLocation] Evaluating domainORworkstationName = TESTPC2 userName = administrator groupName = ACMEDOM\Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsing fullGroupPath = ACMEDOM\Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsed result: groupDomainORworkstationName = ACMEDOM, groupName = Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ADSIHelper] m_userDomainORworkstationName = TESTPC2, m_userName = administrator, fullGroupName = ACMEDOM\Administrators, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = true, m_bIsLocalGroup = false, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::queryAdsiForUserLocation] Local user is never in a domain group
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::queryAdsiForUserLocation] Returning: userLocation = USER_NOT_IN_GROUP
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::checkUserInGroup] Updating cached challenge state for user: administrator.  New location: USER_NOT_IN_GROUP
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::cacheUserGroupInfo] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::cacheUserGroupInfo] domainORworkstationName = TESTPC2, userName = administrator, fullGroupName = ACMEDOM\Administrators, userLocation = USER_NOT_IN_GROUP
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsing fullGroupPath = ACMEDOM\Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Parsed result: groupDomainORworkstationName = ACMEDOM, groupName = Administrators
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::cacheUserGroupInfo] Stored UserLocation: USER_NOT_IN_GROUP
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::cacheUserGroupInfo] Stored TimeStamp: 0x5f0e9eec
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::cacheUserGroupInfo] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::checkUserInGroup] Returning: userLocation = USER_NOT_IN_GROUP
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::checkUserInGroup] Return
RSAAgentLogs-Win10/SIDAuthenticator(LogonUI).log:2020-07-15 06:15:08.618 1740.10764 [sidChallenge::getChallengeType] userLocation is: USER_NOT_IN_GROUP
.

.

.
.
.
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [LACPolicies::getChallengeGroupSAMNamePolicy] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [LACPolicies::getChallengeGroupSAMNamePolicy] The Challenge Group sAMAccountName policy is .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [LACPolicies::getChallengeGroupSAMNamePolicy] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [sidChallenge::getChallengeType] challengeGroup is: .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [sidChallenge::checkUserInGroup] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] fullGroupPath = .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] groupDomainORworkstationName = TESTPC, groupName = Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [sidChallenge::checkCachedSettings] userLocation: USER_IN_GROUP
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [sidChallenge::checkCachedSettings] userLocation = USER_IN_CACHED_GROUP
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ADSIHelper] userDomainORworkstationName = TESTPC, userName = administrator, fullGroupName = .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] fullGroupPath = .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] groupDomainORworkstationName = TESTPC, groupName = Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ADSIHelper] groupDomainOrWorkstation is equal to the computer name, so the group is assumed to be a local group
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::ADSIHelper] m_userDomainORworkstationName = TESTPC, m_userName = administrator, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = true, m_bIsLocalGroup = true, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::CheckLocalUserInLocalGroup] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::CheckLocalUserInLocalGroup] Entries read: 0x2, Total entries: 0x2
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::CheckLocalUserInLocalGroup] administrator is a member of Administrators.
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::CheckLocalUserInLocalGroup] bInGroup = true, bReturn = true
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.202 6108.6936 [ADSIHelper::CheckLocalUserInLocalGroup] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::queryAdsiForUserLocation] Local user is a member of the local group
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::queryAdsiForUserLocation] userLocation = USER_IN_GROUP
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::cacheUserGroupInfo] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [ADSIHelper::ParseGroupName] Enter
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [ADSIHelper::ParseGroupName] fullGroupPath = .\Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [ADSIHelper::ParseGroupName] groupDomainORworkstationName = TESTPC, groupName = Administrators
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [ADSIHelper::ParseGroupName] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::cacheUserGroupInfo] Stored UserLocation: USER_IN_GROUP
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::cacheUserGroupInfo] Stored TimeStamp: 0x5f0eb2b1
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::cacheUserGroupInfo] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::checkUserInGroup] userLocation = USER_IN_GROUP
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::checkUserInGroup] Return
RSAAgentLogs-Win7/SIDAuthenticator(LogonUI).log:2020-07-15 07:39:29.217 6108.6936 [sidChallenge::getChallengeType] userLocation is: USER_IN_GROUP

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to Mikey
‎2020-07-17 09:50 AM

Mike Pang‌,

 

Thank you for supplying the log output. I edited it just to make the font a bit more readable, but left everything else as is.

 

Regards,

Erica

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to Mikey
‎2020-07-17 10:36 AM

fyi...ignore the  "Unable to open policy key" error that happens on all agents working or not, it is a red herring iirc.

0 Likes
Reply
ChristopherStan
Occasional Contributor
Occasional Contributor
‎2020-07-20 11:21 AM

So, I had the same problem.  It took some trial and error, but essentially I had to:

  • Create a local "Exempt_RSA" group on all workstations, and add local .\Admin to that group.
  • Create a domain group called "Exempt_RSA_Authentication."
  • Update group policy to add the domain "Exempt_RSA_Authentication" group to the local "Exempt_RSA" group.
  • Update group policy for RSA to exempt the local .\Exempt_RSA group from RSA Authentication - essentially challenging all users except the local group.

I wish I could have found something simpler, but this is working across my environment.  Whenever I need to add an account for exemption from RSA authentication - like a service account - the account is added to the domain group "Exempt_RSA_Authentication".  That way I still can specify within RSA GP to "challenge all users except" and point to the local group "Exempt_RSA" which in turn includes any users in the domain group "Exempt_RSA_Authentication."

 

..chris..

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.