SecurID^® Discussions

ThomasMandevill · ‎2017-07-14

I have a laptop that will not pass RSA credentials. My first thought was the network connection, but I verified that the machine has a solid network connection. My second thought was that the offline days have expired, but since the machine will not pass the RSA credentials, I cannot get into console on the client to check. I can access the RSA console on the machine with the local admin account, which does not allow me to refresh offline days but does allow me to clear the node secret and the cache. I tried to disable the challenge for all users so that it would not challenge anyone, just to see if that would allow me to get into the client, but that did not work. I also tested authentication (While logged in to the RSA client with the local admin account) with a domain account and the test was successful. But when I attempt to log on to the machine, RSA authentication fails, and there are no authentication attempts recorded on the server. I have removed and re-installed the client software, and tried three different versions of the RSA client (I don't recall the initial client version, but I updated it to 7.3.0.26 and also tried 7.3.3).

Any thoughts as to what may be causing this behavior and how to fix it?

Thanks for any help that you can offer!

--Tom

ThomasMandevill · ‎2017-07-18

Amar,

Thanks for the response.

I solved the problem. Once upon a time, we challenged all users except members of the local Administrators group. This allowed us to log on to a machine with the local admin account simply by entering a password. These days, we challenge all users in a domain group, and of course the local admin account is not a member of that group. So it achieves the same goal—we can log in with the local admin account by entering a password. This setting is pushed by Group Policy.

Once logged on with the local admin account I opened the RSA Control Center and went to Advanced Tools > Challenge Users. I saw that it was set the old way, to challenge all users except those in the local Administrators group. This tipped me off that perhaps Group Policy was not updating on the machine. As a test, I changed the challenge option to challenge all users—including members of the local Administrators group. After a reboot, I was able to log in with a domain account, and I confirmed through the RSA Security Console that the authentication attempt was received by the server. Interestingly, when I reversed the change, the problem came back and I was again unable to get past RSA authentication with a domain account.

After once again logging in with the local admin account, I attempted to do gpupdate /force and got an error. So I checked out the event logs and found an error pointing to the registry.pol file for the machine. I browsed to that file and noticed an old date stamp. I deleted the file and then ran gpupdate /force again, and this time there was no error. I rebooted the machine and tested logging in with the local admin account and with a domain account, and both now work. I verified the challenge settings in the RSA client and they are now correct. So, in the end, it was a Group Policy issue.

--Tom

View solution in original post

AmarVobireddy · ‎2017-07-16

Hi Thomas,

please check the below

1) Authentication server is reachable from RSA Authentication agent installed machines. (try using PING CMD)

2) Authentication listener port UDP 5500 is opened opened towards to RSA Authentication manager.( Telnet the port)

SGTech · ‎2017-07-17

Hi Thomas,

please help check this

1) please check the user have been challenged properly from RSA control center, you can challenge only a group not individual user.

ThomasMandevill · ‎2017-07-18

Amar,

Thanks for the response.

I solved the problem. Once upon a time, we challenged all users except members of the local Administrators group. This allowed us to log on to a machine with the local admin account simply by entering a password. These days, we challenge all users in a domain group, and of course the local admin account is not a member of that group. So it achieves the same goal—we can log in with the local admin account by entering a password. This setting is pushed by Group Policy.

Once logged on with the local admin account I opened the RSA Control Center and went to Advanced Tools > Challenge Users. I saw that it was set the old way, to challenge all users except those in the local Administrators group. This tipped me off that perhaps Group Policy was not updating on the machine. As a test, I changed the challenge option to challenge all users—including members of the local Administrators group. After a reboot, I was able to log in with a domain account, and I confirmed through the RSA Security Console that the authentication attempt was received by the server. Interestingly, when I reversed the change, the problem came back and I was again unable to get past RSA authentication with a domain account.

After once again logging in with the local admin account, I attempted to do gpupdate /force and got an error. So I checked out the event logs and found an error pointing to the registry.pol file for the machine. I browsed to that file and noticed an old date stamp. I deleted the file and then ran gpupdate /force again, and this time there was no error. I rebooted the machine and tested logging in with the local admin account and with a domain account, and both now work. I verified the challenge settings in the RSA client and they are now correct. So, in the end, it was a Group Policy issue.

--Tom

ThomasMandevill · ‎2017-07-18

Thanks for the reply. The problem has been resolved. See my reply to Amar.

SecurID^® Discussions

Machine Not Passing RSA Credentials

Agents

SecurID® Discussions

Machine Not Passing RSA Credentials

Agents

SecurID^® Discussions