SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
New Contributor
New Contributor

MFA for active directory using RSA


We have RSA SecurID and would like to start using that for MFA for user accounts in our active directory.

What we basically want to do is add RSA to the current AD username and password or replace it with RSA and pin.

Like a Yubkey but we want to use RSA instead. Yubkey was easy to setup and get going to user accounts but we are heavily invested in RSA and would like to use that as most of our staff already have RSA tokens.


We are currently doing it with remote access but that is but that is protecting computers and not user accounts.

I know we could install agents on all machines requiring user to use RSA but that doesn't protect the user account.



I don't want staff to have to go to a web page or anything like that, if logging into a machine or launching a resource or tool as a user I want the RSA to be part of that authentication.


Are there any documents that can help me get this setup? It is my understanding that ADFS may be required for this and we have setup ADFS. I installed and configured the ADFS RSA agent but I am missing something.

I am using the ADFS RSA admin guide.

When I read that document it is not clear to me what I may be missing from my setup to get this functionality.

Thank you very much!

Labels (1)
1 Reply
Apprised Contributor Apprised Contributor
Apprised Contributor

In SecurID-speak, you are asking about an agent or protected resource.  When your AD user logs into Windows on the Domain, they enter their AD UserID and password to gain access to that Windows PC or Server.  There is an RSA SecurID Authentication Agent for Windows (ver. 7.4.4) that is a credential provider in Windows and protects that Windows resource.  The SecurID-speak concept of Challenge now comes into play, the Windows Console with Authentication Agent presents UserID and Passcode, but Challenged Users have to enter their UserID and correct Passcode, but not every user may be challenged or not, and if not, those unchallenged Users can enter their Password at the Passcode prompt and successfully authenticate.  Local Agent logs would say they are not challenged, Windows Security Event would show authentication to AD instead of RSA.  Challenge allows for Setup to be either

 1. Challenge everyone

 2. Challenge no one

 3. Challenge everyone in a group (you can nest to a certain degree groups)

 4. Challenge everyone not found in a group.


Other concepts

 - AD users get mapped into Authentication Manager through an LDAP external Identity Source

 - RSA has agents for many other resources, like PAM on Linux, IIS or Apache Web Servers, 100s of VPN products

 - There is a SecurID ADFS agent, but you do not need ADFS to run SecurID Authentication Manager

 - If you want Biometrics or Click to approve on a phone instead of just the Token Passcode, you would need the SecurID Cloud Authentication Service, CAS. 

How can I challenge all users except my .\Administrator (local admin)? 

000032346 - Determine the challenge mode of RSA Authentication Agent 7.x for Windows from Windows registry 

RSA SecurID Authentication Agent 8.1 for PAM Installation and Configuration Guide for SUSE