SecurID^® Discussions

NeilFrick · ‎2018-03-01

We're using RSA Authentication Agent 7.3.3.99 on Windows 10 Build 1703. We have a number of users who have document signing certificates issued by external trusted Certificate Authorities (IdenTrust, for example). These certificates were imported with a CryptoAPI security level of "High," meaning users type in a password to unlock the private key on the certificate when using them to sign documents (Adobe Acrobat).

After deploying the 7.3.3.99 agent, they are no longer able to enter their password to access the private key and sign documents. They receive this message - "To allow the app to access your private key, enter the password:" however there is no password field present. There was a password field before the RSA agent was installed. The image of the message is attached. The only dialog option is "Don't allow" so the user isn't able to enter any password or sign the doucment.

I can't find any existing information about this issue. Any ideas?

JayGuillette · ‎2018-03-01

Sounds like you need to tell the RSA agent about the document signing application (or maybe Adobe) so that if does not try to challenge users who access it. In the registry Under \Local Authentication Settings you would Create a REG_SZ value named RDCFileName and populate it with the FULLY QUALIFIED path to your app.

Look at https://community.rsa.com/message/904593?commentID=904593#comment-904593 for some background detail

Basically the RSA agent is a Credential Provider, CP that uses the concept of Challenge to determine if someone needs to enter a PassCode or a Password to access the Windows system. Windows is signaling that something privileged is being accessed, and our agents only default response is to prompt for Credentials with the RSA CP, which does not know how to interact with your document signing app. I think exempting your app from our prompt will correct this, and assuming your app is Adobe then I'd try that with full name and path.

The GPO template manual is here
https://community.rsa.com/docs/DOC-77534

I think you will want to look at Logon with credentials from remote applications under RSA Local Authentication Settings Templates starting on P.9

NeilFrick · ‎2018-03-02

Jay, thanks for the response. We tested this on a client exhibiting the issue and unfortunately there is no change in behavior. I'll open a case with support, but I did figure someone has ran into this issue - it can't be an uncommon scenario.

JayGuillette · ‎2018-03-02

Get both agent verbose logs and Windows Events for System, Security and Application

scottdickerhoof · ‎2018-04-12

did you get any resolution to this problem?

NeilFrick · ‎2018-04-30

Hi Scott, Yes the issue is we had third-party credential providers disabled in the RSA Group Policy. Turning off that policy option fixed the issue. Of course that isn't a great solution since now we are exposed to third-party credential providers. I consider this to be a bug - the provider in question is built-in to the OS so it certainly isn't third-party. However, I haven't had time to report the bug to RSA or do a feature request - ideally we would be able to select the CP's we want to allow buy specifying their GUIDs in Group Policy.

_EricaChalfin · ‎2018-05-01

Neil Frick‌,

We have made it very easy to report these sort of issues. Please go to https://community.rsa.com/community/products/securid/ideas and submit an idea.

Regards,

Erica

SecurID^® Discussions

CryptoAPI passwords with SecurID not working

Agents

SecurID® Discussions

CryptoAPI passwords with SecurID not working

Agents

SecurID^® Discussions