Article Number
000033269
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
O/S Version: ESXi 5.0
Issue
Some users receiving errors when attempting to login and they are asked immediately to wait for the next token code.
Log Level: INFO
Action ID: 23021
Activity Key: Next tokencode mode activated for token
Description: Next tokencode mode activated for token serial number “0001418xxxxx” assigned to user “xxxxx” in security domain “SystemDomain” from “xxxx AD” identity source
Cause
Time on Primary and Replica is different.
Above log also has a field
Instance Name: <primary> vs. <replica(s)>
look at authentication activity over a period of time, may see something like
5/18/2016 4:29:26 PM AUTHN_METHOD_SUCCESS <replica>
5/19/2016 7:32:07 AM Next tokencode mode activated for token <primary>
Where success followed immediately by NTC, so this is not a failure related NTC
Resolution
Fix time, specifically time source on Primary and all replicas.
Workaround
Run ./rsautil sync-tokens -I to clear NTC and lockouts, but this is only a patch. If the Primary and replica times are more than 2 minutes apart, this problem will keep happening whenever a user authenticates against one then the other.
Notes
See also KB 000027095 - Explanation of Next Token Code Mode and Small Medium and Large Windows in SecurID Authentication
