This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
HennieHavenga
Beginner
Beginner
‎2017-01-16 01:54 PM

Windows Authentication Agent still connecting to old primary appliance

Jump to solution

Guys, 

I need your help, I have replaced our replica appliance with a new unit, then promoted it to the new primary appliance (not changing naming)  so now our old primary is now the replica and the new replica is now the new primary.

 

Now I need to remove the old primary which is now the replica to put in another new unit then make that the new replica and over time promote it back to the new Primary as its physical location is where all our servers are and the replicas physical location is at the Dr site.

 

When I switched the old primary off which is now the replica the windows authentication agents stopped authenticating as they are pointing to the old primary....

 

What is the correct way to now get all the Authentication agents to look at the new Primary to authenticate against? I cannot find any info in the manual AM 8.2

 

Thanks...

 

Hennie

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-01-16 03:00 PM

Jump to solution

If these agents are Native SecurID Authentication agents (not RADIUS Clients), go to new Primary Security Console - Access - Authentication agents - Generate Config file (sdconf.rec) and download and unzip and 

SC-Access-Agents-GenFile.png

replace the current sdconf.rec on the agents that only go to the old primary replica.

 

IF they are RADIUS clients you have to manually configure them to use the primary or replica as the first RADIUS auth server and failover 2nd RADIUS server.

View solution in original post

Reply
4 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-01-16 03:00 PM

Jump to solution

If these agents are Native SecurID Authentication agents (not RADIUS Clients), go to new Primary Security Console - Access - Authentication agents - Generate Config file (sdconf.rec) and download and unzip and 

SC-Access-Agents-GenFile.png

replace the current sdconf.rec on the agents that only go to the old primary replica.

 

IF they are RADIUS clients you have to manually configure them to use the primary or replica as the first RADIUS auth server and failover 2nd RADIUS server.

Reply
EdwardDavis
Employee
Employee
‎2017-01-16 03:20 PM

Jump to solution

It depends: 

 

you should not need to do much, but here is a full list of things to do/try

 

Verify packets on port 5500/udp are allowed from the agent to all RSA servers

and that it is not a network config issue preventing communication.

 

1) On primary...try a security console, access, authentication agents, auth manager contact list,

'automatic rebalance' on the current primary

 

this means the primary will only advertise the current state of instances to any agents

 

2) after rebalance, try distributing/replacing new sdconf.rec files to the agents 

 

3) all windows agents also have a load balancing file called sdstatus.12, it 

may contain stale server IP's. delete this file, the agent will be forced

to build a new one (automatically) that only has current server addresses

 

4) you may have a file called sdopts.rec on the agent machine. If there are

USESERVER statements in that file (if file doesn't exist no worries, it is optional)

then they may need to be changed

Reply
HennieHavenga
Beginner
Beginner
In response to JayGuillette
‎2017-01-16 03:53 PM

Jump to solution

Thanks Jay your approach worked 100% , I just re created a new sdconf.rec file from the new Primary and copied the file to the location on Windows where the old file was and tested it 100%

 

Cheers man

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-01-16 04:06 PM

Jump to solution

To add to what Ed said, the automatic rebalance updates the contact list, which allows the primary to tell all agents about every replica.  A contact list can be used to 'hide' replicas, maybe for development.  I think they did this backwards but I'm just a Support guy.  If you do the automatic rebalance before you generate the sdconf.rec file, when you generate all replicas will actually be stored in the sdconf.rec file, so agents with the sdconf.rec do not have to wait for the primary to tell them about replicas. 

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.