AnsweredAssumed Answered

Why do I have to authenticate 3 times?

Question asked by Rick Grant on Nov 20, 2017
Latest reply on Nov 21, 2017 by Jay Guillette

Like • Show 0 Likes0
Comment • 6

I have a configuration question regarding the RSA Authentication Manager v7.3.3 I just installed on a Windows 2008 R2 server. I did not install the GPO templates. I configured the authentication manger to require 2 factor authentication for a specific group of users. When I login to the server via RDP as a member of that group, I have to authenticate 3 times, first with Windows credentials, then my RSA Passcode, then Windows password again. Ideally, I would like to only login using my username and RSA passcode. Is this possible? If so, what configuration parameter did I miss?

Thank you in advance for your help.

1 person has this question

Outcomes

6 Replies

Yasmine Dowidar Nov 21, 2017 10:35 AM
Mark Correct
Correct Answer
Hi Rick Grant,

I have moved this thread to the RSA SecurID Access page so you can get an answer to your question.

Thanks,
Yasmine
Like • Show 0 Likes0
Actions
- Rick Grant @ Yasmine Dowidar on Nov 21, 2017 2:59 PM
  Mark Correct
  Correct Answer
  Thank you.
  Like • Show 0 Likes0
  Actions
Edward Davis Nov 21, 2017 2:54 PM
Mark Correct
Correct Answer
In the old days Microsoft login with RDP mechanism allowed that. With the new way Microsoft runs RDP and credential manager logins, there is not yet a way I am aware of, to avoid using the windows password twice.
1 person found this helpful
Like • Show 0 Likes0
Actions
- Rick Grant @ Edward Davis on Nov 21, 2017 3:03 PM
  Mark Correct
  Correct Answer
  Not what I was wanting to hear, but answered none the less. Thank you for your help.
  Like • Show 0 Likes0
  Actions
  - Edward Davis @ Rick Grant on Nov 21, 2017 3:19 PM
    Mark Correct
    Correct Answer
    Let me add to this...windows password integration may help (depending on your setup and 'flow')
    
    the second windows password at the RDP destination, might be captured by the RSA windows agent on that machine, and stored on the RSA server, and replayed the next time. So, if you do enable windows password integration, in some setups, you can hide the fact a windows password is needed if the agent can fetch the stored copy, and replay it for the login you are facing. This works to alleviate the need to type in windows password, but it may or may not work for your particular setup and 'chain of login events'. But if you are not using it now, enabling it might help. It will need to ask for the windows password once to capture it, then the next time around, it might allow you through with just the token passcode while it replays the windows password silently in the background for you.
    Like • Show 0 Likes0
    Actions
Jay Guillette Nov 21, 2017 4:46 PM
Mark Correct
Correct Answer
You could take a look at https://community.rsa.com/message/895107?commentID=895107#comment-895107
to get a sense of what Windows 10 is doing and how AM agent currently handles this, and why in some cases you can have three prompts.
Basically we are adding every App you might use or 'Run As' to the GPO or Registry, in order to tell Windows not to prompt for Step-up on access just because the RSA Credential Provider is on the platform
Like • Show 0 Likes0
Actions

Why do I have to authenticate 3 times?

Outcomes

Related Content

Recommended Content