Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JackAlexander
Beginner
Beginner

Regarding Agent 7.3.3

Jump to solution

Just installed RSA agent 7.3.3 on Server 2016.  Works fine however when I am logged into my VM and try and RDP to another server now it asks me for username and passcode in the remote desktop connection instead of in previous versions username and password.  Then username and Passcode.

 

Cannot seem to get any further now RDPing from this Server 2016 now.

 

Any ideas?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

Jack,

You need a Registry entry to tell the Windows platform NOT to prompt you locally when you RDP to another Windows platform.  Create a REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value

                C:\Windows\System32\CredentialUIBroker.exe

How to find something like this on RSA Link?

Link_searchRDP.png

000034009 - RSA Authentication Agent 7.3.1 for Microsoft Windows prompts for passcode when used as an RDP jump host 

Background - more detail 

When RDP'ing from one windows platform to another, there are potentially three prompts for credentials between two Windows platforms.  I will refer to the windows platforms as

 

  The initiating, local or 'From' Windows Server or Workstation that you are working on

  The receiving, or remote or 'To' Windows Server or Workstation that you want to RDP to

 

It also appears to us that one of these prompts can be taken care of or hidden by Windows, or used to be taken care of or hidden before Windows security update MS16-101, or related updates, which appeared starting in August of 2016.

 

The three Credentials prompts;
1. a prompt on the local or 'from' host to access the network, in order to reach the remote or 'To' RDP host
2. a Prompt on the remote or 'To' RDP host - If there is an RSA this will be a prompt for a PassCode, if no RSA AM agent installed goto prompt 3 below
3. the prompt for Windows Password

 

In short, if you have RSA Authentication agents on both the 'From' and 'To' hosts, you will see all three prompts by default.

 

To prevent prompt #1, when the 'From' Windows host has an agent, create REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value

                C:\Windows\System32\CredentialUIBroker.exe

Correct Spelling and path is critical, or use the new 7.3.2 GPO templates to set this.  You may need to F3 search the registry for Local Authentication Settings, or even create it.  We found it under either

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings

or

HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktoptop Preferences\Local Authentication Settings

See Screen shots below.

We believe this 1st prompt is due to how MS handles our agent request to access the network, under NLA, but whether our assumption on that is correct or not, this fix works.

 

The 2nd prompt is due to the presence of the RSA agent on the ‘To’ remote Windows host.  If the user is Challenged, they need to enter a PassCode, but if user is not challenged, they can enter a Password.  It would be impossible ahead of time to know if a user was challenge, so the only control you have of this is a GPO to display either PassCode or PassWord for everyone, with the RSA logo indicating the presence of our agent.

 

The 3rd prompt, which would be the 2nd prompt if no RSA agent were present on the ‘To’ remote Windows host, is for a Windows Password.  If this is the 3rd prompt, RSA has a way to take care of this with a feature/policy known as Windows Password Integration, where we learn your Windows Password the first time you do this (assuming Policy configured and affect user) then every time after that we pass this the MD5 hash of this password to Windows for the user.

 

RSA's Local Authentication Settings\RDCFileName

Regedit_RDCFileName.png

Regedit_RDCFileName3.png

GPO settings to avoid prompts on various Remote Desktop Connection applications that start RDP; C:\Windows\System32\CredentialUIBroker.exe, C:\Windows\System32\mstsc.exe, C:\Program Files(x86)\Microsoft\Remote Desktop Connection Manager\rdcman.exe

GPO_RDPapps.png

View solution in original post

3 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

Jack,

You need a Registry entry to tell the Windows platform NOT to prompt you locally when you RDP to another Windows platform.  Create a REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value

                C:\Windows\System32\CredentialUIBroker.exe

How to find something like this on RSA Link?

Link_searchRDP.png

000034009 - RSA Authentication Agent 7.3.1 for Microsoft Windows prompts for passcode when used as an RDP jump host 

Background - more detail 

When RDP'ing from one windows platform to another, there are potentially three prompts for credentials between two Windows platforms.  I will refer to the windows platforms as

 

  The initiating, local or 'From' Windows Server or Workstation that you are working on

  The receiving, or remote or 'To' Windows Server or Workstation that you want to RDP to

 

It also appears to us that one of these prompts can be taken care of or hidden by Windows, or used to be taken care of or hidden before Windows security update MS16-101, or related updates, which appeared starting in August of 2016.

 

The three Credentials prompts;
1. a prompt on the local or 'from' host to access the network, in order to reach the remote or 'To' RDP host
2. a Prompt on the remote or 'To' RDP host - If there is an RSA this will be a prompt for a PassCode, if no RSA AM agent installed goto prompt 3 below
3. the prompt for Windows Password

 

In short, if you have RSA Authentication agents on both the 'From' and 'To' hosts, you will see all three prompts by default.

 

To prevent prompt #1, when the 'From' Windows host has an agent, create REG_SZ string value named "RDCFileName" in the 'From' registry under RSA's Local Authentication Settings, with the value

                C:\Windows\System32\CredentialUIBroker.exe

Correct Spelling and path is critical, or use the new 7.3.2 GPO templates to set this.  You may need to F3 search the registry for Local Authentication Settings, or even create it.  We found it under either

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings

or

HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktoptop Preferences\Local Authentication Settings

See Screen shots below.

We believe this 1st prompt is due to how MS handles our agent request to access the network, under NLA, but whether our assumption on that is correct or not, this fix works.

 

The 2nd prompt is due to the presence of the RSA agent on the ‘To’ remote Windows host.  If the user is Challenged, they need to enter a PassCode, but if user is not challenged, they can enter a Password.  It would be impossible ahead of time to know if a user was challenge, so the only control you have of this is a GPO to display either PassCode or PassWord for everyone, with the RSA logo indicating the presence of our agent.

 

The 3rd prompt, which would be the 2nd prompt if no RSA agent were present on the ‘To’ remote Windows host, is for a Windows Password.  If this is the 3rd prompt, RSA has a way to take care of this with a feature/policy known as Windows Password Integration, where we learn your Windows Password the first time you do this (assuming Policy configured and affect user) then every time after that we pass this the MD5 hash of this password to Windows for the user.

 

RSA's Local Authentication Settings\RDCFileName

Regedit_RDCFileName.png

Regedit_RDCFileName3.png

GPO settings to avoid prompts on various Remote Desktop Connection applications that start RDP; C:\Windows\System32\CredentialUIBroker.exe, C:\Windows\System32\mstsc.exe, C:\Program Files(x86)\Microsoft\Remote Desktop Connection Manager\rdcman.exe

GPO_RDPapps.png

JackAlexander
Beginner
Beginner

We use the RSA agent on all our servers.  To add a registry key on every server is rather annoying considering on older agent version and OS we didn't have to.

0 Likes

I don't disagree, this is very annoying, but this whole thing started when Microsoft pushed out Security Update MS16-101 last year, that's when customers started calling saying that with existing Windows agents installed and working properly, and only change from this MS update, the double-prompt started happening.  We believe this is caused by MS security changes that invoke NLA when you seek to access the network, in order to RDP to another Windows platform.  The prompt is coming locally, on the 'from' RDP host.

Maybe Engineering can add this as part of the RSA install.

0 Likes