Article Number
000037935
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS)
RSA Version/Condition: 2.0
Issue
Users are in Active Directory and authenticating from a machine where the RSA Authentication Agent 2.0 for Active Directory Federation Services (AD FS) is installed and enabled with two-factor authentication. The end user experiences a 20 second delay in authentication from the AD FS agent. Authentication from all other agent hosts appears to be normal.
Cause
The delay is caused by a DNS lookup on the hostname of the AD FS agent by Authentication Manager. In theory, since the AD FS agent uses the REST API, any logical name can be used to define the agent in Authentication Manager. It is unexpected that the Authentication Manager does DNS lookup on agents using REST API, hence the delay.
Resolution
This issue has been reported as defect AM-35049 and it is resolved in RSA Authentication Manager 8.4 patch 7.
Workaround
- Define the agent within the Security Console with a fully qualified host name (Access > Authentication Agent > Manage Existing or Add New).
- Make sure that the agent is resolvable in the page by clicking Resolve IP or Resolve Hostname.
- Verify that the hostname is resolved by DNS using nslookup <hostname> via command line.
- Confirm that the agent name matches with the actual name of the machine with the RSA Authentication Agent 2.0 for Active Directory Federation Services (AD FS) installed.