We have some users that are being prompted to enter their RSA passcode when they try to view their saved passwords in Google Chrome. However, when they try to authenticate with the passcode, it fails everytime.
Should Windows even be prompting for RSA credentials for this function?
Is there a setting somewhere in RSA that needs to be changed for this to work?
Thanks in advance for any assistance you can offer,
Keith G.
Keith,
The reported behavior is Functioning as desgined.
The following is workaround:
Run browser as an administrator with an user who has admin access on the machine
- For users who don't have admin credentials, use the 'Access your passwords from any device at passwords.google.com
You have an Authentication Agent for Windows installed, and when you manage Chrome Passwords, Chrome will prompt for the default Credential Provider, which is now the RSA SID Credential Provider so you see a PassCode prompt instead of a Password prompt.
You could check why Passcode is failing, most likely Node secret mismatch if for some reason the System or process user for Chrome does not have permission to read the securID node secret file in the Auth Data directory.
Or
You can exempt Chrome from being prompted for PassCode by adding it as an RDCFileName, either in the registry as a REG_SZ value named RDCFileName under Local Authentication Settings *
or in a GPO as a Remote Desktop Application **
* https://community.rsa.com/docs/DOC-58298
is the KB that explains this issue.
HKEY_LOCAL_MACHINE \SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings
Or on Windows10 the location is
HKEY_LOCAL_MACHINE\software\RSA \RSA Desktop Preferences\Local Authentication Settings\
You may need to search the Registry for your Local Authentication Settings
** https://community.rsa.com/docs/DOC-96717
under Enable Support for multiple Remote Desktop Applications, Chapter 3
Thanks, Jay. That solution worked for us. On my Windows 10 machine the RDCFileName key is in the first location you mentioned (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings).
Paul Henry what value data did you enter for the RDCFilename?
We had created one previously with the value data C:\Windows\System32\CredentialUIBroker.exe
Thanks for the information Jay!
Interestingly, I did get the node secret mismatch error.
However, once I clear the node secret from the agent or the server, the RSA authentication process fails at every prompt. I had to reinstall agent to get it working again.
How do we handle the registry change for this if we have already created an RDCFileName in that same registry directory? The one I've already created has the value: C:\Windows\System32\CredentialUIBroker.exe
This was done previously to fix an issue with remote desktop being challenged by RSA.
just edit RDCFileName and add the path to chrome, delimit with a comma after C:\Windows\System32\CredentialUIBroker.exe, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
verify the path to Chrome
Thanks again! That worked.
just edit RDCFileName and add the path to chrome, delimit with a comma after C:\Windows\System32\CredentialUIBroker.exe, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
verify the path to Chrome