SecurID^® Discussions

ShaneCarr · ‎2018-05-29

I am trying to diagnose an issue with a Windows 10 VDI with RSA authentication agent installed. The agent only challenges privileged users - not standard users.

The standard users access the VDIs via Citrix XenDesktop utilising single sign on which works correctly.

The issue arises when users lock the VDI (via Windows + L or screensaver). When they come to enter their password and unlock the VDI, it works approximately 90% of the time but the other 10% the login attempt will take 2 to 3 minutes and then fail silently (just drops back to the login prompt) despite the password having been entered correctly.

On each failed login, the authentication agent's SIDCredentialProvider(LogonUI) log contains the following:

2018-05-29 22:56:26.418 20008.8092 [Credential::collectUsername] Username=username
2018-05-29 22:56:26.418 20008.8092 [Credential::collectUsername] Domain=Domain
2018-05-29 22:56:26.418 20008.8092 [Credential::collectUsername] UPNSuffix=
2018-05-29 22:56:26.418 20008.8092 [Credential::collectUsername] SAMDomainUsername=Domain\username
2018-05-29 22:56:26.418 20008.8092 [Credential::collectUsername] Return
2018-05-29 22:56:26.418 20008.8092 [SIDDCredential::getPasscode] Enter

2018-05-29 22:56:26.418 20008.8092 [Field::getStringValue] Enter
2018-05-29 22:56:26.418 20008.8092 [Field::getStringValue] Value is sensitive
2018-05-29 22:56:26.418 20008.8092 [MemoryCrypter::decrypt] Enter
2018-05-29 22:56:26.418 20008.8092 [MemoryCrypter::init] Enter
2018-05-29 22:56:26.418 20008.8092 [MemoryCrypter::init] Return
2018-05-29 22:56:26.418 20008.8092 [MemoryCrypter::decrypt] Return
2018-05-29 22:56:26.418 20008.8092 [Field::getStringValue] Return
2018-05-29 22:56:26.418 20008.8092 [SIDDCredential::getPasscode] Return
2018-05-29 22:56:26.418 20008.8092 [DisableTileControlsDlgBox::startInputCapture] Enter
2018-05-29 22:56:26.419 20008.20904 [DisableTileControlsDlgBox::ThreadProc] Enter
2018-05-29 22:56:26.426 20008.8092 [DisableTileControlsDlgBox::startInputCapture] Hidden dialog created, showing wait cursor.
2018-05-29 22:56:26.426 20008.8092 [DisableTileControlsDlgBox::showWaitCursor] Enter
2018-05-29 22:56:26.427 20008.8092 [DisableTileControlsDlgBox::showWaitCursor] Return
2018-05-29 22:56:26.427 20008.8092 [DisableTileControlsDlgBox::startInputCapture] Return
2018-05-29 22:56:26.427 20008.8092 [AuthMechWrapper::authenticate] Enter
2018-05-29 22:58:34.965 20008.8092 [AuthMechWrapper::authenticate] AuthMech authenticate failed: 0x8
2018-05-29 22:58:34.965 20008.8092 [AuthMechWrapper::authenticate] Return

Note the 128 seconds spent in the authenticate method.

Any idea why the authenticate would take so long or what the 0x8 failure indicates?

MartinSawczyn · ‎2018-05-30

Hi,

In regards to time-out issues and long authentication delays with the Windows Agent, I would recommend to create a support ticket as there are several root causes and the logs would need to be checked to find a solution for your specific problem.

Regards,

Martin

EdwardDavis · ‎2018-05-30

0x8 by itself is not enough to fully diagnose the situation. That code can occur when authentication arrives at the RSA server and it is rejected (bad code). However, this regards desktop lock/unlock and work has been done in this area on several versions of agent. You may want to open a case and request the very latest build to test it, and see if we have already solved this type of issue. Request 7.3.3.123. This is not released yet, but since you are having issues, it is worth testing with it.

SecurID^® Discussions

Slow authentication then failure

Agents

SecurID® Discussions

Slow authentication then failure

Agents

SecurID^® Discussions