Just installed RSA agent 7.3.3 on Server 2016. Works fine however when I am logged into my VM and try and RDP to another server now it asks me for username and passcode in the remote desktop connection instead of in previous versions username and password. Then username and Passcode.
Cannot seem to get any further now RDPing from this Server 2016 now.
Any ideas?
Jack,
You need a Registry entry to tell the Windows platform NOT to prompt you locally when you RDP to another Windows platform. Create a REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value
C:\Windows\System32\CredentialUIBroker.exe
How to find something like this on RSA Link?
Background - more detail
When RDP'ing from one windows platform to another, there are potentially three prompts for credentials between two Windows platforms. I will refer to the windows platforms as
The initiating, local or 'From' Windows Server or Workstation that you are working on
The receiving, or remote or 'To' Windows Server or Workstation that you want to RDP to
It also appears to us that one of these prompts can be taken care of or hidden by Windows, or used to be taken care of or hidden before Windows security update MS16-101, or related updates, which appeared starting in August of 2016.
The three Credentials prompts;
1. a prompt on the local or 'from' host to access the network, in order to reach the remote or 'To' RDP host
2. a Prompt on the remote or 'To' RDP host - If there is an RSA this will be a prompt for a PassCode, if no RSA AM agent installed goto prompt 3 below
3. the prompt for Windows Password
In short, if you have RSA Authentication agents on both the 'From' and 'To' hosts, you will see all three prompts by default.
To prevent prompt #1, when the 'From' Windows host has an agent, create REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value
C:\Windows\System32\CredentialUIBroker.exe
Correct Spelling and path is critical, or use the new 7.3.2 GPO templates to set this. You may need to F3 search the registry for Local Authentication Settings, or even create it. We found it under either
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings
or
HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktoptop Preferences\Local Authentication Settings
See Screen shots below.
We believe this 1st prompt is due to how MS handles our agent request to access the network, under NLA, but whether our assumption on that is correct or not, this fix works.
The 2nd prompt is due to the presence of the RSA agent on the ‘To’ remote Windows host. If the user is Challenged, they need to enter a PassCode, but if user is not challenged, they can enter a Password. It would be impossible ahead of time to know if a user was challenge, so the only control you have of this is a GPO to display either PassCode or PassWord for everyone, with the RSA logo indicating the presence of our agent.
The 3rd prompt, which would be the 2nd prompt if no RSA agent were present on the ‘To’ remote Windows host, is for a Windows Password. If this is the 3rd prompt, RSA has a way to take care of this with a feature/policy known as Windows Password Integration, where we learn your Windows Password the first time you do this (assuming Policy configured and affect user) then every time after that we pass this the MD5 hash of this password to Windows for the user.
RSA's Local Authentication Settings\RDCFileName
GPO settings to avoid prompts on various Remote Desktop Connection applications that start RDP; C:\Windows\System32\CredentialUIBroker.exe, C:\Windows\System32\mstsc.exe, C:\Program Files(x86)\Microsoft\Remote Desktop Connection Manager\rdcman.exe
We use the RSA agent on all our servers. To add a registry key on every server is rather annoying considering on older agent version and OS we didn't have to.
I don't disagree, this is very annoying, but this whole thing started when Microsoft pushed out Security Update MS16-101 last year, that's when customers started calling saying that with existing Windows agents installed and working properly, and only change from this MS update, the double-prompt started happening. We believe this is caused by MS security changes that invoke NLA when you seek to access the network, in order to RDP to another Windows platform. The prompt is coming locally, on the 'from' RDP host.
Maybe Engineering can add this as part of the RSA install.
Jack,
You need a Registry entry to tell the Windows platform NOT to prompt you locally when you RDP to another Windows platform. Create a REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value
C:\Windows\System32\CredentialUIBroker.exe
How to find something like this on RSA Link?
000034009 - RSA Authentication Agent 7.3.1 for Microsoft Windows prompts for passcode when used as an RDP jump host
Background - more detail
When RDP'ing from one windows platform to another, there are potentially three prompts for credentials between two Windows platforms. I will refer to the windows platforms as
The initiating, local or 'From' Windows Server or Workstation that you are working on
The receiving, or remote or 'To' Windows Server or Workstation that you want to RDP to
It also appears to us that one of these prompts can be taken care of or hidden by Windows, or used to be taken care of or hidden before Windows security update MS16-101, or related updates, which appeared starting in August of 2016.
The three Credentials prompts;
1. a prompt on the local or 'from' host to access the network, in order to reach the remote or 'To' RDP host
2. a Prompt on the remote or 'To' RDP host - If there is an RSA this will be a prompt for a PassCode, if no RSA AM agent installed goto prompt 3 below
3. the prompt for Windows Password
In short, if you have RSA Authentication agents on both the 'From' and 'To' hosts, you will see all three prompts by default.
To prevent prompt #1, when the 'From' Windows host has an agent, create REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value
C:\Windows\System32\CredentialUIBroker.exe
Correct Spelling and path is critical, or use the new 7.3.2 GPO templates to set this. You may need to F3 search the registry for Local Authentication Settings, or even create it. We found it under either
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings
or
HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktoptop Preferences\Local Authentication Settings
See Screen shots below.
We believe this 1st prompt is due to how MS handles our agent request to access the network, under NLA, but whether our assumption on that is correct or not, this fix works.
The 2nd prompt is due to the presence of the RSA agent on the ‘To’ remote Windows host. If the user is Challenged, they need to enter a PassCode, but if user is not challenged, they can enter a Password. It would be impossible ahead of time to know if a user was challenge, so the only control you have of this is a GPO to display either PassCode or PassWord for everyone, with the RSA logo indicating the presence of our agent.
The 3rd prompt, which would be the 2nd prompt if no RSA agent were present on the ‘To’ remote Windows host, is for a Windows Password. If this is the 3rd prompt, RSA has a way to take care of this with a feature/policy known as Windows Password Integration, where we learn your Windows Password the first time you do this (assuming Policy configured and affect user) then every time after that we pass this the MD5 hash of this password to Windows for the user.
RSA's Local Authentication Settings\RDCFileName
GPO settings to avoid prompts on various Remote Desktop Connection applications that start RDP; C:\Windows\System32\CredentialUIBroker.exe, C:\Windows\System32\mstsc.exe, C:\Program Files(x86)\Microsoft\Remote Desktop Connection Manager\rdcman.exe