This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AndreLocker
Occasional Contributor
Occasional Contributor
‎2016-08-29 06:24 PM

How do you get proper authentication with SID800 hardware token through a RDP session?

Jump to solution

Hi Guys,

 

I recently just got LDAP configured on my RSA AM and i also got our Authentication agent deployed on our jump host server. I got some help with the configuration for LDAP and the Authentication agent and was able to test the my hardware token  SID 800 USB to test authenticate with the RSA  control center. When ever I RDP into the jump host and try to use my usb hardware token and enter my pin in the authentication fails.

 

The token has been sync'd and i checked to make sure that all the correct fw ports are open. 

 

Does anyone have any thoughts why my authentication attempt is failing at the with windows logon screen?

Labels (1)
Labels
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to AndreLocker
‎2016-08-30 01:04 PM

Jump to solution

two things:

First If you do not see anything from an RDP logon to the Windows server/workstation in the Real Time Monitor, but Test Auth works, that indicates user is not being challenged.  Check the Challenge Settings in Control Center - Advanced Tools.

pastedImage_1.png

If you are not challenging everyone, either challenge everyone in a particular group (or just your user in that group as a test) or the reverse would be to challenge everyone except users in a group, and you would have to not belong to that group.

 

Second, if you Test Auth successfully and you did this by only entering the PIN, that indicates you have either installed the RSA Authentication Client, RAC, which controls SID-800s by giving extra options in the RSA Control Center, or you installed something called SID-800 middleware.  Even if this were not working correctly, you still should have seen something in the AM log monitor, so I think it is the Challenge.  After getting the challenge working you may still have to do something to automatically get the TokenCode entered from the SID-800, but first things first.

View solution in original post

Reply
27 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-08-29 08:59 PM

Jump to solution

SC_Report_RealTime_AuthAct.png

I assume you mean an Auth Mgr, AM logon with PassCode, not a Smart Card Cert logon to AD or Windows...so start the Real Time Authenitcaiton Monitor in the Security Console, under - Reporting, then see if the RDP logon is getting to AM, and if it is, what does it say is wrong 

0 Likes
Reply
AndreLocker
Occasional Contributor
Occasional Contributor
‎2016-08-30 12:43 PM

Jump to solution

So, 

What i want to accomplish is when my users RDP to our Jump server, they forced to use the there SID 800 and authenticate with there pin only. 


When i tested it with the RSA engineer we tested it from the control center and it worked fine. When i tested it from the RDP session it failed to authenticate. I checked the real time monitor and saw no attempts being made besides the ones from the Control center. I want my users in our active directory to be allowed to authenticate with the SID 800 usb token via RDP session in our jump host server.

 

So far this morning i've had no luck.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to AndreLocker
‎2016-08-30 01:04 PM

Jump to solution

two things:

First If you do not see anything from an RDP logon to the Windows server/workstation in the Real Time Monitor, but Test Auth works, that indicates user is not being challenged.  Check the Challenge Settings in Control Center - Advanced Tools.

pastedImage_1.png

If you are not challenging everyone, either challenge everyone in a particular group (or just your user in that group as a test) or the reverse would be to challenge everyone except users in a group, and you would have to not belong to that group.

 

Second, if you Test Auth successfully and you did this by only entering the PIN, that indicates you have either installed the RSA Authentication Client, RAC, which controls SID-800s by giving extra options in the RSA Control Center, or you installed something called SID-800 middleware.  Even if this were not working correctly, you still should have seen something in the AM log monitor, so I think it is the Challenge.  After getting the challenge working you may still have to do something to automatically get the TokenCode entered from the SID-800, but first things first.

Reply
AndreLocker
Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2016-08-30 03:28 PM

Jump to solution

Hi, yup this worked thank you very much!

 

Now I have some clean up to do, and i'm not sure if this is done through the use of the RSA Group policies. But when I RDP  to the server i get asked for my windows credentials, then i get windows logon screen. I have 3 user logins (take a look at the picture attached). I only want the login with the USB authentication for my users to select. Then next thing i want to fix is after i get authenticated by RSA i get prompted again for my windows credentials. 

 

What is the best way to:

1) Only have the RSA SID 800 logon option  from the windows logon page.

2) Remove the additional challenge for windows logon credentials after being authenticated by RSA.

 

RSA006.jpg

0 Likes
Reply
JOHNHAGEN1
New Contributor
New Contributor
‎2016-12-06 04:12 PM

Jump to solution

Just worked on this exact issue. Tried to get two factor authentication to work with Windows 2012 agent and cannot get past the Windows password requirement.  Spoke with RSA support and told them the Admin guides and release notes are misleading in that they convey that this is possible to access via RDP app resources with two factor user id's.

Spent a week with RSA just trying to figure this out that it is not supported. Put in an RFE'

Why would users need to use Windows passwords to access a jump server when we are going to RSA for a PCI compliant two factor approach. Just ridiculous waste of my time.

 

Need to circle back and use a Linux client accessed from SSH and allow VNC app to run so we can access these backend resources. The issue here is that VNC does not support all backend applications.

0 Likes
Reply
JOHNHAGEN1
New Contributor
New Contributor
In response to AndreLocker
‎2016-12-06 04:13 PM

Jump to solution

Did you ever get two factor to work directly from RDP client ?

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JOHNHAGEN1
‎2016-12-06 05:15 PM

Jump to solution

Hey John,

With RDP you have this kind of relative thing going on, because you are on a Windows platform (call it start) and want to RDP to another Windows platform (call it destination).  And there are more than one way to call RDP on the start platform; mstsc.exe, RDP Connection server, mmc plugin, possibly more...

 

What we have seen is that after a Microsoft Windows update from Aug/Sept '16, if your 'start' platform has a Windows agent, things go wrong especially on Win10 and Win2012 R2.  If your user is challenged by the local AM agent, Microsoft assumes you should be challenged before accessing the network with RDP.  We have figured out some work-arounds, posted here:

https://community.rsa.com/message/880803

including the Knowledge Base KB article.  The good news is you should be able to get this to work, the bad news is this will no longer work automatically like we always expected with Windows agents. We think it has something to do with NLA.

0 Likes
Reply
JOHNHAGEN1
New Contributor
New Contributor
In response to JayGuillette
‎2016-12-07 09:20 AM

Jump to solution

Hello,

 

This other article I found references an RFE specific to 2012 r2 server "RFE AAWIN-2319"

https://community.rsa.com/docs/DOC-59975

 

It Recommends we ask RSA for an alternative workaround since we are not getting the node secret issue mentioned here.

 

An alternative would be to see if RSA Engineering provides a fix or another work-around through RFE AAWIN-2319, for the capability to run the Remote Desktop Connection Manager from a Windows 2012 R2 Server that is protected by the RSA

 

Thanks for your response,

 

John

Preview file
3 KB
Preview file
1 KB
0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JOHNHAGEN1
‎2016-12-07 10:11 AM

Jump to solution

John,

I can open a case for you and add it to this RFE, to kind of increase the weigh of the demand for something here with that Request for Enhancement, RFE:  

AAWIN-2319 - RFE - AAWin 7.3.1 on Windows 2012 R2 Server prompts for PassCode when used as RDP Jump host to other Windows platforms without AAWin agent.

 

You're with NYClearinghouse, correct?

The RFE process gets driven by Sales, so if you have a Sales Contact either let me or him/her know.  A lot of customers have seen this, so I added all their names and companies to the RFE, but when Sales is involved that helps bring things to a critical mass. 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.