AnsweredAssumed Answered

Strange issue with offline tokens for a remote user

Question asked by Dell Thornhill on Feb 1, 2019
Latest reply on Feb 1, 2019 by Edward Davis

I have the following situation with one of my remote users: when the RSA Control Center is installed on the user's laptop it will download the offline tokens (30 days, per the AM policy) and then after that it will not refresh the offline tokens again.

Full sequence of events:


1)  Install RSA Control Center

2)  The Control Center downloads the offline tokens.  I see the "offline authentication data download" event in the user's Authentication History in the AM and verify with the user that the Control Center says it has 30 days of offline data available.

---> At this point the user is able to log into her computer using MFA in both online and offline modes.

3)  After 30 days the tokens run out and the user is not able to log on offline any longer.  If I remotely uninstall the RSA Control Center and then reinstall it again, it will start the cycle over and download the offline tokens, but never refresh them.

The user in question works a regular 40 hour work week where she is connected to the corporate VPN for at least 8 hours a day.  While connected the VPN the RSA Control Center on her computer has direct access to the AM; all of the her authentication activity, including offline authentications, are sync'd with the AM and displayed in the user's Authentication History on the AM without issue.  Every other computer in the environment sync's their offline tokens at least once a day when connected to the network either by VPN or being in the office.  I work work remotely as well and my laptop sync's its offline token every time is connects to the corporate VPN.  So this situation is unique to this one user.

Additional info:

Operating system:  Windows 7 x64 with latest Windows Updates and service packs.

RSA Control Center:  I've used 7.4.0 and 7.4.2 with the exact same problem.

Firewall status:  Disabled, but the fact that the Control Center is free to communicate with the AM means that nothing is getting in the way of the client and AM.

Primary and replica AM are on-premise and version 8.3 p02

Everything else about the user's laptop is a standard build, meaning she doesn't have anything special installed.  In fact my own laptop is the same make/model and has the same build and it's able to remotely download the tokens without issue.

Any suggestions would be appreciated.