SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000039892
Applies To
RSA Product Set: RSA SecurID Access
RSA Product/Service Type: MFA Agent - CAS
RSA Version/Condition: 2.0
RSA Product/Service Type: MFA Agent - CAS
RSA Version/Condition: 2.0
Issue
After upgrading the MFA agent, the windows console authentication fails with the error "cannot authenticate. Contact your administrator" as shown in the below screenshot. However, the login from the Remote Desktop Protocol (RDP) is working as desired. From the RDP the user can authenticate successfully and log in to the machine.
![]()
The below is displayed in the MFA agent verbose logs
2021-10-06 09:12:46.734 860.1 [V] [CredentialProviderCredentialEvents2Proxy.EndFieldUpdates] Return
2021-10-06 09:12:46.734 860.1 [V] [RSA.Authentication.CredentialProvider.CASCredential.GetPasswordCredentials] Return
2021-10-06 09:12:46.765 860.1 [V] [Credential.GetSerialization]
----------
Method:
ICredentialProviderCredential::GetSerialization(CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE * pcpgsr, CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION * pcpcs, PWSTR * ppwszOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON * pcpsiOptionalStatusIcon)
Result:
S_OK
Output:
*pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED
*pcpcs->ulAuthenticationPackage = 0
*pcpcs->clsidCredentialProvider = {00000000-0000-0000-0000-000000000000}
*pcpcs->cbSerialization = 0
*pcpcs->rgbSerialization = ***************
*ppwszOptionalStatusText = Cannot authenticate. Contact your administrator.
*pcpsiOptionalStatusIcon = CPSI_ERROR
The below is displayed in the MFA agent verbose logs
2021-10-06 09:12:46.734 860.1 [V] [CredentialProviderCredentialEvents2Proxy.EndFieldUpdates] Return
2021-10-06 09:12:46.734 860.1 [V] [RSA.Authentication.CredentialProvider.CASCredential.GetPasswordCredentials] Return
2021-10-06 09:12:46.765 860.1 [V] [Credential.GetSerialization]
----------
Method:
ICredentialProviderCredential::GetSerialization(CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE * pcpgsr, CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION * pcpcs, PWSTR * ppwszOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON * pcpsiOptionalStatusIcon)
Result:
S_OK
Output:
*pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED
*pcpcs->ulAuthenticationPackage = 0
*pcpcs->clsidCredentialProvider = {00000000-0000-0000-0000-000000000000}
*pcpcs->cbSerialization = 0
*pcpcs->rgbSerialization = ***************
*ppwszOptionalStatusText = Cannot authenticate. Contact your administrator.
*pcpsiOptionalStatusIcon = CPSI_ERROR
Cause
The RSA installer defers reboot decisions to the Windows Installer as 'best practice' .When that happens, Windows Installer won't prompt for a reboot, so the console continues to hold the 'old' CredProvider in Logonui.RDP works because each RDP authentication runs in a new instance of LogonUI, which correctly loads the 'new' CredProvider.
Resolution
Restarting the machine will update the CredProvider in Logonui .After the restart the console authentication should work as desired
Notes
- Forcing a reboot would be an over-reaction since a general installer's goal is to avoid reboots unless necessary. There are other use cases, for example, server OSes running on a physical system where a forced reboot is an overkill.
- This issue can be reported in all Windows Agents that implement a CredProvider, not just the MFA agents configured to authenticate directly to CAS.
In this article
