This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Michiel
New Contributor
New Contributor
‎2020-04-20 12:14 PM

Windows Password Integration: How to Change Password?

Jump to solution

Hi,

 

Maybe a silly question but what is the proper procedure for users to change their passwords when "Windows Password Integration" is enabled on their laptops? With the recent increase in remote working, we have more and more users getting locked out of their laptops because of password changes through other platforms. They use private computers to access web portals, or Outlook Webmail and update their password there - this affects their Offline laptops as its cached copy of the password often doesn't match the real password anymore.

 

Assuming they're using their worklaptop (with RSA Agent), how should they go about changing their password? Through the RSA website, RSA agent, or regular Windows screens?

 

Regards,

Ook

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2020-04-20 12:30 PM

Jump to solution

Do regular windows style. Ctrl-alt-delete, or set a flag for change password in AD...agent will just capture and send the new one to AM server for next time.

 

The RSA agent is just a layer on top, but the actual Microsoft password mechanisms are in full control of the password handling process. The agent will just try to automatically replay a password if there is one to replay and the agent is online and can reach to an RSA server to fetch it.

 

If offline then the agent cannot do this password fetching, so allows Microsoft password mechanisms to work and prompt as they normally do.

-----

How windows password integration works with RSA Agent for Windows: 10,000 foot view

 

Whenever someone logs into windows with RSA agent...the agent does some routine operations...

 

-user logs in with token, passcode was successful on AM server...

 

-before giving user the desktop....agent fetches stored password from AM server or fetches blank,

[or you may not even allow storing of passwords but agent will still try and simply come back with nothing].

 

-agent feeds this password result to Microsoft login behind the scenes on the laptop

 

-if fetched password was blank, Microsoft wants a password so agent allows that to popup and ask for password, agent captures it and if the user does get to desktop, password was successful and agent stores this new password on AM server for next time

 

-if fetched password was correct, agent replays to Microsoft and user gets on desktop w/o needing to type password

 

-if fetched password was wrong, Microsoft wants a correct password so agent allows that to popup and ask for password, agent captures it and if the user does get to desktop, password was successful and agent stores this new password on AM server for next time

 

-during all the above, if account controls dictate Microsoft wants user to change password, the agent allows the change password prompting to occur, and once successful, agent will store the new password in the RSA server.

 

AM can only store one password per user, so if you have multiple domains and have different passwords in each, and user logs into each domain back and forth, you may have to type password again and again if you change to a different domain as we can only store one.

 

-----

 

So, essentially, the agent will try to replay what it has or doesn't have, and if whatever the agent fetches doesn't work, agent allows Microsoft to take over and do any normal thing with the password, change password...and the agent will simply try to store a copy of whatever was the last good password.

 

If you also have RSA Agent for Windows on domain controllers, they can be configured to synchronize passwords....agent sits there watches for any password change on a user account and automatically update the password on the AM server side no matter where the password change came from, to further reduce the times a user needs to type out a password on a login.

View solution in original post

Reply
11 Replies
EdwardDavis
Employee
Employee
‎2020-04-20 12:30 PM

Jump to solution

Do regular windows style. Ctrl-alt-delete, or set a flag for change password in AD...agent will just capture and send the new one to AM server for next time.

 

The RSA agent is just a layer on top, but the actual Microsoft password mechanisms are in full control of the password handling process. The agent will just try to automatically replay a password if there is one to replay and the agent is online and can reach to an RSA server to fetch it.

 

If offline then the agent cannot do this password fetching, so allows Microsoft password mechanisms to work and prompt as they normally do.

-----

How windows password integration works with RSA Agent for Windows: 10,000 foot view

 

Whenever someone logs into windows with RSA agent...the agent does some routine operations...

 

-user logs in with token, passcode was successful on AM server...

 

-before giving user the desktop....agent fetches stored password from AM server or fetches blank,

[or you may not even allow storing of passwords but agent will still try and simply come back with nothing].

 

-agent feeds this password result to Microsoft login behind the scenes on the laptop

 

-if fetched password was blank, Microsoft wants a password so agent allows that to popup and ask for password, agent captures it and if the user does get to desktop, password was successful and agent stores this new password on AM server for next time

 

-if fetched password was correct, agent replays to Microsoft and user gets on desktop w/o needing to type password

 

-if fetched password was wrong, Microsoft wants a correct password so agent allows that to popup and ask for password, agent captures it and if the user does get to desktop, password was successful and agent stores this new password on AM server for next time

 

-during all the above, if account controls dictate Microsoft wants user to change password, the agent allows the change password prompting to occur, and once successful, agent will store the new password in the RSA server.

 

AM can only store one password per user, so if you have multiple domains and have different passwords in each, and user logs into each domain back and forth, you may have to type password again and again if you change to a different domain as we can only store one.

 

-----

 

So, essentially, the agent will try to replay what it has or doesn't have, and if whatever the agent fetches doesn't work, agent allows Microsoft to take over and do any normal thing with the password, change password...and the agent will simply try to store a copy of whatever was the last good password.

 

If you also have RSA Agent for Windows on domain controllers, they can be configured to synchronize passwords....agent sits there watches for any password change on a user account and automatically update the password on the AM server side no matter where the password change came from, to further reduce the times a user needs to type out a password on a login.

Reply
Michiel
New Contributor
New Contributor
In response to EdwardDavis
‎2020-04-21 11:50 AM

Jump to solution

Hi Edward,

 

Thanks a lot for your extensive reply - very much appreciated! Unfortunately our laptops are offline during the logon process (VPN establishes after logon has taken place) so there's some confusion about what the laptop knows and what the user knows etc. Sometimes RSA doesn't download Offline Data while the laptop has already become "aware" of the new password. Next Offline logon, RSA replays the old password whereas the laptop is expecting the new one (and because it's not onlin yet, it cannot prompt the user).

 

Anyway, we know where to aim our fix - thans for the write up!!

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to Michiel
‎2020-04-21 12:30 PM

Jump to solution

If you have any issues in offline day downloads themselves, open a support case and request agent version 7.4.3.177, also called 7.4.3 HF2. This is not a full installer, it is an update to an existing install of 7.4.3.[none].

 

Version 7.4.3.[none] is the full installer which can be downloaded from here RSA LINK https://community.rsa.com/community/products/securid/authentication-agent-windows/downloads , but HF2 (build 177) has all the latest updates and some fixes to offline days for certain situations...it is not publicly available yet since it is not a full installer, but it has passed QA.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-04-21 01:23 PM

Jump to solution

To Ed's point, you might want to open a support csae to troubleshoot specific problems, but if you've got too much free time on your hands you can troubleshoot on your own with knowledge base articles here on RSA Link, 

https://community.rsa.com/docs/DOC-101279 

Basically, if you have offline day files downloaded, your laptop can login with a Passcode 'offline' while you are home, then when you build your VPN connection, you will be 'online' as far a Auth Manager is concerned, and your laptop will upload log files from when you were offline, and download more (refresh) offline day files over TCP port 5580 from any primary or replica - specific to you and the token SN you used to authenticate with.  The hashed value of your Windows Password will also be stored in AM in order to perform Windows Password Integration for you.  If you change your Windows Password online through any Windows Agent, Auth Manager will learn the new Windows Password.

0 Likes
Reply
Michiel
New Contributor
New Contributor
‎2020-04-21 02:26 PM

Jump to solution

Thanks - I actually just received the link to the 7.4.3.177 version a few minutes ago via our support case as we're indeed having issues where Downloading Offline Data fails. The minute the VPN gets established (after logon), the agent instantly pushes all of the information at once (this is A) the previous Offline authentication event, B) the new agent IP and C) the request for Offline data). Timing can be a bit off so while the server is still processing the IP change, 1 millisecond later it already generates an error about Proof failure. This repeats daily. Adding the password change to the mix doesn't help there..

 

I will start testing with v7.4.3.177 tomorrow; hope this brings some relief to the users. We're currently forcing a re-download attempt by locking the PC > 5 wrong PIN codes > Passcode; this works well but it's very inconvenient to keep asking the users to do this.

 

Thanks for the input guys - spot on support!!

Reply
EdwardDavis
Employee
Employee
In response to Michiel
‎2020-04-21 02:54 PM

Jump to solution

If (as an admin) you want to check AM server for the last offline days downloaded to a user and token,

this SQL can do it:

 

select a.last_da_code_time as LastDayOffline,
a.Serial_Number as Serial,
b.LOGINUID as Username
FROM rsa_rep.AM_TOKEN a,
rsa_rep.IMS_PRINCIPAL_DATA b
where a.PRINCIPAL_ID=b.ID
order by lastdayoffline asc;

 

 

example:

 

pastedImage_1.png

Reply
Michiel
New Contributor
New Contributor
In response to EdwardDavis
‎2020-04-22 04:21 AM

Jump to solution

Thanks very much - this looks very interesting indeed (we're currently running a Splunk query but it requires machines to be online..)

 

Just to be sure, I need to run this via SSH, correct? I'm not a SQL/DB specialist - would you mind adding a link or a few extra steps on how I can obtain this data?

Reply
EdwardDavis
Employee
Employee
In response to Michiel
‎2020-04-22 08:07 AM

Jump to solution

This shows how to run a different query, same initial procedures: https://community.rsa.com/docs/DOC-45909 

Reply
Michiel
New Contributor
New Contributor
In response to EdwardDavis
‎2020-04-22 11:03 AM

Jump to solution

Great - worked like a charm and I managed to output the full report to a txt file! Very nice stats; thanks again for taking the time to respond like this!

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.