SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000033802
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1
Issue
After Microsoft Windows update MS16-101 was applied on a Windows 10 server with the RSA Authentication Agent 7.3.1 for Windows, RDP logon fails to a destination server for challenged users. The authentication activity log shows the reason for failure is a node secret mismatch on the local agent, not from the destination server/workstation.
When a user launches an RDP session from this RSA-protected source machine, he sees the following screen:
Image description
Then he will see the following window if he is RSA challenged:
Image description
However, this logon always fails even with known good RSA username and passcode. The Security Console Authentication Activity monitor or report shows the following error:
The Source IP column in the Authentication Activity log lists the source Windows 10 machine, not the destination Windows server to which the user is creating an RDP session.
This behavior started after running Windows update MS16-101, which includes security updates for Windows authentication methods.
When a user launches an RDP session from this RSA-protected source machine, he sees the following screen:
Image descriptionImage descriptionHowever, this logon always fails even with known good RSA username and passcode. The Security Console Authentication Activity monitor or report shows the following error:
Node secret mismatch; node secret cleared on agent but not on server.
The Source IP column in the Authentication Activity log lists the source Windows 10 machine, not the destination Windows server to which the user is creating an RDP session.
This behavior started after running Windows update MS16-101, which includes security updates for Windows authentication methods.
Cause
Initial indications are that something changed in how Microsoft calls the RSA credential provider through the CredUA in relation to how RSA was configured. There are two applications that Microsoft can call. These are C:\Windows\System32\CredentialUIBroker.exe or C:\Windows\System32\mstsc.exe.
This problem behavior is due to a change, so the fix is to change it back in the registry. Details below.
This issue happens when the local host meets the following criteria:
If the user is unchallenged, he can successfully initiate an RDP session, and get prompted by the Remote Credential Provider (either by Windows or by RSA) and it works as expected. This second logon, if prompted for passcode of the RSA challenged user, will show the remote destination RDP host as the agent in the Authentication Manager logs.
This problem behavior is due to a change, so the fix is to change it back in the registry. Details below.
This issue happens when the local host meets the following criteria:
- It uses Windows 10 as the operating system,
- It has the MS-101 security updates from 9 August 2016 or later installed, and
- When the local user who initiates an RDP session is challenged by RSA. That is, the user is required to authenticate with a passcode.
If the user is unchallenged, he can successfully initiate an RDP session, and get prompted by the Remote Credential Provider (either by Windows or by RSA) and it works as expected. This second logon, if prompted for passcode of the RSA challenged user, will show the remote destination RDP host as the agent in the Authentication Manager logs.
Resolution
In RSA Authentication Agent 7.3.2, a Remote Desktop Connection Application policy was added to the GPO template to make it easier to apply the workaround described below.
From the agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 needs to be changed back to the RSA version, which is C:\Windows\System32\CredentialUIBroker.exe.
To do this,
Image description
From the agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 needs to be changed back to the RSA version, which is C:\Windows\System32\CredentialUIBroker.exe.
To do this,
- From Start > Run, key in regedit and press Enter.
- Open or create the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings. (On Windows10 the location is HKEY_LOCAL_MACHINE\software\RSA\RSA Desktop Preferences\Local Authentication Settings\. You may need to search for Local Authentication Settings.)
- Create a REG_SZ value named RDCFileName and populate it with the FULLY QUALIFIED path to the application. Set it to C:\Windows\System32\CredentialUIBroker.exe first.
Image description- Reboot the machine and test.
Note: This registry change will be configurable in the GPO templates for RSA Authentication Agent 7.3.2 for Windows.
- If you still have the problem, check spelling and registry settings or use the GPO template.
Workaround
Initiate RDP sessions with a non-challenged RSA user
Since this may be the result of a hardening or security upgrades to Windows, you may simply need to- Open up read (and possibly write, if using auto-registration) permissions to authenticated users to C:\Program Files\Common Files\RSA Shared\Auth Data folder where the securid node secret file is located. This may be due to the fact that RDP is non-priv by default, and something changed in how Microsoft calls the RSA Credential Provider through the CredUA..
To change permissions:
- Open Windows Explorer on the machine with the agent installed.
- Navigate to C:\Program Files\Common Files\RSA Shared\Auth Data.
- Right click the RSA Shared directory and choose Properties.
- Click on the Security tab.
- Under Group or user names, click the Edit button.
- Click Add...
- Create a new object named Authenticated Users and click OK when done.
- Highlight the Authenticated Users object.
- Under Permissions, check the Allow box next to Read.
Image description - Click Apply.
- Click OK.
- Now try to RDP with a challenged user again.
- You will see two prompts here. The first is from the local Windows 10 machine. The second will be on the remote server. There will be a prompt for a passcode if an RSA authentication agent is installed or for password if the RSA agent is not installed.
Notes
JIRA defect AAWIN-2315 has been opened to track the issue.
The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods. Listed in the Known Issues section of MS16-101, is the following note:
This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.
From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider).
The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods. Listed in the Known Issues section of MS16-101, is the following note:
This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.
From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider).
In this article
