This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RSA Authentication Manager 8.1 SP1 On Demand Authentication requires that the initial PIN be set in the Self-Service Console fails because there is no PIN yet

Article Number

000033671

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 and later
 

Issue

The issue here is that an RSA administrator is trying to enable On-Demand Authentication (ODA) for an end user.
 
Image descriptionImage description
 
  1. Once the user is enabled for ODA, he cannot use the Self Service Console (SSC) to set his PIN because the SSC is prompting for a PIN after the user enters his password.
  2. As shown here, the Self-Service Console (SSC) logon screen requests Jay's user ID and password.
Image descriptionImage description
  1. The SSC then prompts Jay to enter an existing PIN rather than asking him to create a new PIN.
Image descriptionImage description
  1. Logon fails because a PIN is not set yet.  Using a blank PIN or a PIN of 0000 also fails.
Image descriptionImage description
 
  1. In the Security Console, the enable ODA options show a choice between:
  • Require user to setup the PIN through RSA Self-Service Console
  • System generate initial PINs for selected users and export them to a file

Image descriptionImage description
  1. The option of system generated initial PIN only worked in Authentication Manager 7.1.  All the Authentication Manager 8.1 systems here show that the option is:
Set initial PIN to [      ] (Pin needs to be communicated to user)
 
Image descriptionImage description
 
  1. This works if we use the System Generate PINs option.  We download the file, logon to the SSC with a password, enter the PIN, then create a new PIN.
  2. If we select Require user to setup the PIN, and the user logs on to the Security Console, he is prompted to enter a PIN, even though Security Console says PIN not set. Nothing works and the user sees a message of either logon failed or if the PIN is blank, that the field is required

Cause

Configuring logon to the Self Service Console logon to be RSA_Password/LDAP_Password+OnDemand, which translates to either RSA password or LDAP Password first and then On-Demand Authentication.
 
Image descriptionImage description
 
When users setup their ODA PINs in the SSC, it could not work because this setup required an ODA logon, and so is requesting a PIN, which was not created yet.

Resolution

Enabling an ODA user to create their PIN through the Self-Service Console and requiring an ODA logon to the Self-Service Console are mutually exclusive.  You can only have one or the other, so options are to either,
  1. Manually set ODA user PINs in the Security Console or with the Authentication Manager Bulk Administration (AMBA) tool; or
  2. Change the Self-Service logon requirements to not enforce an ODA logon, either by removing it completely or by making it optional with the OR operator (that is, /).

Workaround

  1. Generate PINs for the users.
  2. Communicate the PINs in a secure manner to the end users.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:01 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.