"Agent auto-registration is disabled' messages in RSA report
I have a client running AM 8.3 P1 and when they run a report to show remote logins, they are seeing entries on there that say "Agent auto-registration is disabled" and the source IP of those entries is one of their internal servers. However, that server does not have any RSA components installed on it nor does it get used in any of our current RSA authentication schemes. In addition, the report shows that these "Agent auto-registration" messages get logged from that server every Sunday morning and there are always 18 attempts beginning from 5:35 AM and ending around 5:37 AM (give or take five minutes on either end). I have looked in the Task Scheduler on that server and can't find any tasks that would run automatically at that time.
Hoping someone here has seen similar behavior and/or hoping someone might be able to tell me what to look for on that server as to why it's trying to talk to the RSA AM.
- 8.3 P1
- agent auto-registration
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- rsa authenication manager
- RSA SecurID
- RSA SecurID Access
From the description it sounds like you have a weekly dhcp lease renewal happening at that time on Sundays, which would trigger an autoregistration attempt.
-sdadmreg.exe is one component that will try to register from the command line when run manually, hunt for any sign of this .exe
-sdregsrv.exe is the windows service version of this, hunt for this file
-also, if auto registration service is installed (check windows services for RSA*(anything)) ...anytime the tcp/ip stack is renewed (such as dhcp lease) the service will automatically attempt an autoregister action
a normal install would put it here "C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe"
Failing all this you can still find out what is going on with Sysinternals Process Monitor
check the Security Console on the RSA server for what TCP port autoregistration is set to (default is 5550/tcp but it can be changed)
and then sniff out that port on the 'problem server' with Sysinternals Process Monitor with a filter:
-operation begins with TCP
-Path contains 5550 (the port for auto-registration )
example 1: Procmon running and get zero events until I manually run sdadmreg and see TCP port 5550 to my RSA server
C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility>sdadmreg -r
Agent Host added successfully.
example 2: I use something else to generate TCP port 5550 traffic, PortQry
C:\PortQryV2>portqry -n 10.101.99.150 -p TCP -e 5550
Querying target system called:
Attempting to resolve IP address to a name...
IP address resolved to edavis-vm150.na.rsa.net
TCP port 5550 (unknown service): LISTENING
If there is something on this machine using TCP to send to RSA server auto-reg port, ProcMon can find it and reveal the source of that TCP traffic.
Thank you very much for your detailed response. I searched my server for the files and services you mentioned and did not come up with anything. But then I realized this server is the same one that one my colleagues uses to perform vulnerability scans with Nessus. I checked in with him and he confirmed that his Nessus scans are scheduled to run early Sunday mornings. Bingo! So my guess is that Nessus must realize that it's talking to an RSA Auth Man server and so it tries to do an agent auto-reg to see if that feature is enabled.
So while your reply didn't help me directly for this issue, it did get me thinking in terms of what might be on my server that would potentially talk to my RSA Auth Man and that led me to the Nessus discovery. Your reply is definitely one that will go into my archives!