We have a user whose hard token keeps resetting itself back to next tokencode mode every time he authenticates. There are no failures or incorrect tokencodes in the logs that would help me figure out what is happening.
I assigned him a new token, and it is still happening:
Result Key: |
ATTEMPT_SUCCESSFUL |
NEXT_TOKEN_CODE_ACCEPTED |
AUTHN_METHOD_SUCCESS |
ATTEMPT_SUCCESSFUL |
NEXT_TOKEN_CODE_ACCEPTED |
ATTEMPT_SUCCESSFUL |
NEXT_TOKEN_CODE_ACCEPTED |
TIFFANY IRELAND,
Two things. Try running a token report on that user's token. Do this step first!
Steps are as follows:
1. Open an SSH session to the Authentication Manager primary.
2. Login as the rsaadmin user and run the following CLU
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Fri Mar 17 10:39:20 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility 8.2.0.2.0 (1388711)
Copyright (C) 1994 - 2016 EMC Corporation. All Rights Reserved.
Enter the absolute path for the output report file : /tmp/20170509.txt
Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection [ (all) | file ]: all
Choose a token filter [ assigned | unassigned | (both) ]: assigned
What action do you wish to perform? [ (list) | modify ]: list
Enter administrator user ID : <enter super admin user name>
Enter administrative password : <enter super admin user password>
Authenticator Bulk Synchronization Utility 8.2.0.2.0 (1388711)
Copyright (C) 1994 - 2016 EMC Corporation. All Rights Reserved.
Started job on Tue May 09 15:02:17 EDT 2017 with ID = ims.b231c2473202a8c0749efde4ba5e06e0
3. Open the 20170509.txt file and look for the token of the user who is having issues.
4. What are the values for the Clock Offset and Next Tokencode Mode Status?
After running the report, try resynchronizing the token through the Security Console.
1, Navigate to Authentication > Tokens > SecurID Tokens.
2. Search for the token serial number and click Search.
3. When the results come back, click on the context arrow next to the token number and choose Resynchronize Token.
4. You will need to have your end user on the phone and have her read you the tokencode she sees on the token, which you would enter in the current code box then wait for the next tokencode to display then enter that code. Note that it needs to be the token code seen on the hardware token or the tokencode shown on the software token interface WITHOUT the PIN.
5. Click Resynchronize.
6. With the real time authentication activity monitor open to see what happens during the auth attempt, have the end user test authentication again.