Authentication Agent, AAWin v. 7.4.4 on Citrix Windows non-persistent VDI node secret mismatch
2 years ago
Originally Published: 2021-06-07
Article Number
000043107
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x
Platform: Windows
Platform (Other): authentication failures
O/S Version: 10, Server 20xx
Product Name: null
Product Description: null
Issue
VDI scenario is as follows;
1. Windows Agent auto-registers and creates Node secret (which will be used to encrypt all subsequent authentications). Node secret created on agent C:\ disk drive.
2. User logs out but does not shutdown and VDI destroys the write-cache including the agents node secret which is on the disk.
3. Testing shows failed authentications after write-cache cleared, node secret mismatch - cleared agent not server
 
Cause
Non-persistent VDI mode clears write cache, which includes all changes to C:\ drive.  Since the Windows UDP agent creates a node secret (symmetric key) on the installation C:\, the node secret is also cleared.
 
Resolution
Customer VDI team had a D:\ drive that they can use to persist data across sessions. They created a hard link in the C:\ drive which links to the Node Secret directory in the D:\ drive. This seems to be working as a workaround option

The RSA Authentication Agent for Windows was not designed to function in this Use Case.
Workaround
Workarounds:
To resolve this issue, you wouls need to reset the node secret by clearing the node secret on the AM server.
You could reboot the Windows agent to allow auto-registration to create a new node secret on both the agent and the AM server
The ReST agent API could be used instead of the UDP agent, MFA agent for windows v.2.0.x, which does not use a node secret.
A daily AMBA job to clear Server node secrets on auto-registered node secrets would probably not be practical nor good enough to work all the time.
Notes
Refer to VDI and virtual host documentation for information on how to persist data to a second drive location.  The RSA Authentication Agent for Windows has no mechanism to handle this situation or use case. This Knowledge Base article is provided as an idea on how one might configure a Virtual Windows Machine in this particular situation or use case
 

Related Articles

Trending Articles

Don't see what you're looking for?