This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
alexfray
Beginner
Beginner
‎2018-08-16 04:09 AM

Certain users can't authenticate using MFA tokens

Jump to solution

We have an RSA SecurID environment consisting of two RSA Authentication Manager (AM) 8.2.1 VMs (Primary and Replica) and utilize the RSA Cloud Service, so have two Identity Routers (IDR).

Users use a mix of RSA SecurID physical tokens and the new MFA tokens. Users log on to existing remote access services via Authentication Manager. Users log on to new remote access services via the IDRs/Cloud Service. We have just starting pushing people to use their smartphone and MFA tokens to reduce the amount of physical tokens. We have integrated AM and IDR to provide backward and forward compatibility which works fine. We rolled out 200 MFA tokens recently to users with physical tokens who were expiring. 95% of users have had no issue registering the RSA SecurID Authenticate App with our company and authenticating using the existing or new remote access services using the MFA token (using the tokencode method). However we have a few users, who have registered successfully, but can't authenticate to an existing remote access service (via AM).

The flow is, User to RADIUS Client, RADIUS Client to RSA Authentication Manager,  AM to IDR to authenticate the MFA token. However RSA Authentication Manager just says "Authenticated Method Failed". The user has an MFA token assigned to their AM profile because the majority of users registered and logged on to the existing remote access service before their physical token expired. User who didn't were manually assigned an MFA token via the AM CLI. The users with issues are not locked out in active directory and have an MFA token assigned. I have tried asking the user to delete the RSA SecurID authenticate app and re-enrolling or just deleting the company within the app. I have tried adding a new physical token to them to see if it was because they registered after their physical token expired, no change. The problem is the error has no details and the majority of users work fine. The fix to date has been to provide these few users with physical tokens, but we are looking to move away from physical tokens to MFA tokens so we need to resolve the underlying issue.

 

Any ideas?

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
alexfray
Beginner
Beginner
‎2018-08-16 09:40 AM

Jump to solution

Hi Ted, I raised a call with RSA support in parallel, i was just hoping another community member may have had this issue. This is now resolved.

 

"Error code 104 - Authenticator Tokencode authentication failed - invalid tokencode"

 

The issue was that the user's smartphone was 5-10 minutes ahead of time, so when they were submitting their tokencode there was a time skew with the RSA Cloud Service which was subsequently rejecting the tokencode "invalid tokencode". I asked the user to set their phone to the correct time and she was able to authenticate successfully using the RSA app.

 

It would be useful if RSA had some more detail in the user event monitor on these error codes as they quite generic.

View solution in original post

0 Likes
Reply
3 Replies
TedBarbour
Employee
Employee
‎2018-08-16 08:59 AM

Jump to solution

Hi Alex - I would recommend opening a support case so that we can try to determine what is happening via IDR and AM logs.

 

Ted 

0 Likes
Reply
alexfray
Beginner
Beginner
‎2018-08-16 09:40 AM

Jump to solution

Hi Ted, I raised a call with RSA support in parallel, i was just hoping another community member may have had this issue. This is now resolved.

 

"Error code 104 - Authenticator Tokencode authentication failed - invalid tokencode"

 

The issue was that the user's smartphone was 5-10 minutes ahead of time, so when they were submitting their tokencode there was a time skew with the RSA Cloud Service which was subsequently rejecting the tokencode "invalid tokencode". I asked the user to set their phone to the correct time and she was able to authenticate successfully using the RSA app.

 

It would be useful if RSA had some more detail in the user event monitor on these error codes as they quite generic.

0 Likes
Reply
TedBarbour
Employee
Employee
In response to alexfray
‎2018-08-16 09:54 AM

Jump to solution

Hi Alex - glad that the issue is resolved!

Regarding the event monitor...we would not be able to distinguish between an incorrectly entered code and one that is outside the valid time window if that's what you mean by more detail.

 

Thanks for letting us know the resolution,

Ted

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.