Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
HassanMehsen
Respected Contributor
Respected Contributor

Windows MFA Agent 2.0.1

Dears,

 

We are trying to deploy MFA agent 2.0.1 for Windows which we are facing a very weird problem on few workstations,

 

The issue is that , after configuring the GPO parameters on the local workstation to push the authentication to CAS,  the RSA test tool is showing "Unsuccessful connection to RSA SecurID Access"

 

We have went through the following:-

  • In the GPO policy "RSA SecurID Authentication API REST URL," confirm that the value uses the following format: https://<hostname>:port/ where hostname is the Authentication Service Domain specified in the Cloud Administration Console or the Fully Qualified Domain Name specified in the Authentication Manager Operations Console. For Authentication Manager, you can enter up to 15 commaseparated URLs.
  • In the GPO policy "RSA SecurID Authentication API REST URL," confirm that the value exactly matches the key specified in the Cloud Administration Console or the Authentication Manager Security Console.
  • Confirm that the computer has internet connectivity and can access the RSA SecurID Authentication API REST URL.
  • l Ensure that the root CA certificate for Authentication Manager is installed properly in the Trusted Root Certification Authorities folder in the local machine context.

Which is already mentioned under the MFA agent 2.0.1 installation guide.

 

We have also took a Wireshark capture from the workstation itself filtering on the URL being used as the authentication server on the GPO parameters, which didnt show any packets going to this URL when pushing an authentication from the workstation using the RSA tool.

 

Enabled the verbose logging on the MFA agent which showed  the following error:-

2020-09-15 05:33:51.822 15580.1 [RSA.Authentication.Connection.ConnectionHandler.GetConnection] No Servers Available for Authentication.

 

 

We have whitelisted the MFA agent from the endpoint protection software on the workstation itself unfortunately it didn't worked.

 

I have opened a case with RSA support team and till now no one is able to tell us what is happening on those workstations.

 

Our workstation is running Windows 10 latest patches and updates.

 

Anyone can help on this.

 

Thanks.

Labels (1)
0 Likes
7 Replies
SAMADAMS
Beginner
Beginner

Hassan,

I am experiencing the same issue. Were you able to find a solution?

0 Likes
HassanMehsen
Respected Contributor
Respected Contributor

We are still facing the same issue till now, we have noticed that our endpoint security was quarantining few files while the agent is trying to write some files on the Windows directory,

 

Another thing to mention is that once we uninstall the MFA agent and install back it works finally for couple of days which then the authentication will revert back to the offline method(agent is unable to reach the cloud),

 

From the firewall nothing was showing and the MFA agent logs clearly shows that the agent is not able to recognize the authentication server configured already under the workstation GPO.

 

We are still waiting RSA support to see if they can do anything about it.

0 Likes
pkirui
Contributor
Contributor

Hi Sam and Hassan,

Did you get solution to above problem?

0 Likes
pkirui
Contributor
Contributor

Just in case you have not solved this issue. I was doing similar installation yesterday and got the same problem: "Unsuccessful connection to RSA SecurID Access".

error.png

For your installation you seem to be using RSA AM as proxy but for me I am connecting direct to the RSA CAS. I counter-checked my configurations below and everything looked good

mfa.PNG

I later noticed for some reasons configurations above was not applied in GPO. I checked with gpresult /H filename.html and noticed that. For my case I had a different machine that works fine with RSA MFA so I did exported [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop] from that machine to a .txt file and modified it as follows then changed it to .reg:

 

rsa-mfa1.PNG

 

I copied the .reg file to the machine that has issues of "Unsuccessful connection to RSA SecurID Access"  and  double clicked on it in order to upload. Test authentication should be successful now.

success.PNG

 

That was my workaround and hope that can help.

0 Likes
JochenHoffmann
Occasional Contributor
Occasional Contributor

Hi All, 

we ran into a similar issue with RSA Agent for Microsoft ADFS 2.x which may be related to your issue, too. Maybe it's worth a shot. 

As there's HTTPS / REST communication to RSA AM / CAS used, system proxy settings are taken into account. In our case, the RSA agent installed on our ADFS servers sent the AUTH request via a proxy server, but the firewall blocked the proxy request to our RSA AM servers. Another ADFS server has had incorrect system proxy settings.  

We checked and modified the system proxy settings with `netsh winhttp show proxy` reps. `netssh winhttp set proxy` commands. 

 

Cheers, 

Jochen.

0 Likes
HassanMehsen
Respected Contributor
Respected Contributor

The same thing happened in our case, which we found then,  that the GPO policy was applied and rather than the local one that we are trying to configure, after applying the GPO policy the authentication worked fine for couple of days and then it stopped.

 

While troubleshooting the issue, we found that the endpoint protection was causing this behavior, while the agent being installed on the windows workstation the EP was quarantining few files being written by the agent to the windows directory.

 

We have whitelisted those files which solved the authentication thing.

0 Likes
googol
Contributor
Contributor

We are having similar problems with v2.0.1 and v2.0.2, works for a few days, then craps out, if you restart the RSA MFA service, works again.

On certain systems, if you reboot the computer, its stuck in offline state and even after waiting 5-10min, still offline. yet its clearly online since I have full jump client remote connectivity just fine.

I had to revert back to v1.2.1 for those affected, that seems more stable. just sucks since dont have the newer features like setting up logging or the offline tokencode options.

I opened a ticket and hope support can resolve this issue soon. Perhaps the next version of the MFA agent will be better, as it says in next few months there will be a "passwordless" version with FIDO security key.

0 Likes