SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000032683
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for WIndows
RSA Agent Version/Condition: 7.x
RSA Product/Service Type: Authentication Agent for WIndows
RSA Agent Version/Condition: 7.x
Issue
By default, the ReservePasswordHashGenerator creates an 80-character hash code, while the default Reserve Password domain policy takes a maximum of 79 characters. This article provides information on modifying the MAXLEN value of the reserve password hash so that it is allows for an additional character.
Because of this discrepancy when the ADM\RSA Desktop\Local Authentication Settings\Reserve Password policy is enabled and the hash is set, the data pasted from the ReservePasswordHashGenerator to the Reserve Password text box does not fit, resulting in a non-functional reserve password.
In the agent’s ADM templates, strings are allocated and stored in the registry as MAXLEN-1 because one character was needed to account for the trailing null that is needed when a string is written to the registry as a REG_SZ or REG_EXPAND_SZ.
Microsoft Technet has an article entitled "Classic ADM file in Windows 2008: MAXLEN error," which says that the string in the text box is limited to this defined length, so the trailing null should be in addition to the value of MAXLEN and not built into it.
Editing the attached RSA_Authentication_Agent.adm file will correct the MAXLEN value to accommodate the trailing null.
Because of this discrepancy when the ADM\RSA Desktop\Local Authentication Settings\Reserve Password policy is enabled and the hash is set, the data pasted from the ReservePasswordHashGenerator to the Reserve Password text box does not fit, resulting in a non-functional reserve password.
In the agent’s ADM templates, strings are allocated and stored in the registry as MAXLEN-1 because one character was needed to account for the trailing null that is needed when a string is written to the registry as a REG_SZ or REG_EXPAND_SZ.
Microsoft Technet has an article entitled "Classic ADM file in Windows 2008: MAXLEN error," which says that the string in the text box is limited to this defined length, so the trailing null should be in addition to the value of MAXLEN and not built into it.
Editing the attached RSA_Authentication_Agent.adm file will correct the MAXLEN value to accommodate the trailing null.
Resolution
To resolve this issue, follow the steps below:
Image description
Image description
- Download the RSA Authentication Agent for Microsoft Windows.
- Unzip the files in the archive and navigate to the RSA_Authentication_Agent_<version>\Policy Templates\adm folder.
- Open the RSA_Authentication_Agent.adm file in a text editor.
- Look for the line below:
PART !!LAC_RESERVE_PASSWORD_LABEL EDITTEXT VALUENAME "ReservePassword" MAXLEN 80
- Change the value for MAXLEN to 81, as shown:
PART !!LAC_RESERVE_PASSWORD_LABEL EDITTEXT VALUENAME "ReservePassword" MAXLEN 81
- Save and close the file.
- Download ReservePasswordHashGenerator zip file attached to this article and save it on a local Windows machine.
- Unzip the files in the archive and navigate to the appropriate folder based upon the Windows architecture (32- or 64-bit).
- Double click the installer and run the Windows install wizard.
- Click on Finish when the installation is complete.
- Go to Start > All Programs > RSA and click on the RSA Reserve Password Hash Generator, which opens a command prompt as shown:
Image description- Enter a reserve password that meets the requirements and confirm the same to generate the 80-character reserve password hash.
Image description- The 80-character reserve password hash generated using the ReservePasswordHashGenerator can now be entered
- Take the agent machine off the network to test the new reserve password.
In this article
