Offline logon failure then loop back to login screen RSA Authentication Agent 7.3.3 [99] for Windows
Originally Published: 2019-05-13
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.3 [99]
Issue
- Offline authentications on RSA Authentication Agent for Windows 7.3.3 [99] fail with no message; it just loops back to the Credential Provider Logon Screen several times, before finally working.
- Slowness in reading or decrypting the offline day files
Cause
This used to take about one second, but with the December 2018 Windows 10 release that hashing time jumped to eight seconds. Multiply that eight seconds by the acceptable tokencode window and multiple again if the user is assigned more than one token and the result is it often takes a very long time (that is, an elapsed times greater than 90 seconds) for the agent to perform an offline one time passcode (OTP) authentication.
It takes so long, in fact, that LogonUI seems to have exceeded a timeout (or something similar). Thus, when the agent's CredProvider eventually returns the user credentials, the LogonUI restarts the credential collection sequence instead of submitting the credentials to Winlogon for authentication.
There is probably code in the crypto libraries that uses the optimal instructions based on the CPU but falls back to the most portable algorithm if the CPU is not recognized [wmic cpu get name].
Log analysis
- The user submits credentials at UTC 00:38:51:
2019-03-20 00:38:51.773 13296.784 [V] [Credential::GetSerialization -- MAIN] Enter
- We take ~45 seconds to return credentials to LogonUI.
2019-03-20 00:39:36.527 13296.784 [I] [Credential::GetSerialization_OriginalDesign] authenticateResult from authenticate: returnCode=0 actionCode=0
2019-03-20 00:39:37.874 13296.784 [V] [Credential::GetSerialization -- MAIN] Return
- LogonUI starts to unwind the authentication attempt without attempting authentication with the credentials that we have returned.
2019-03-20 00:39:37.874 13296.784 [V] [Credential::UnAdvise] Enter
- If credentials had been submitted, the next call in the SIDCredProvider log would have been
[Credential::ReportResult] Enter
Resolution
Documentation and release notes for the agent can be found on the RSA Authenticaiton Agent for Microsoft Windows page.
Workaround
As a wordaround the LogonUI timeout is controlled by the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.
Add a DWORD Value: IdleTimeOut and set to 120000, equal to two minutes.
Notes
===SIDAuthenticator(LogonUI).log===
2019-03-20 00:38:51.803 nCurrentTime: 0x5c918b9b
2019-03-20 00:38:51.803 Cached challenge status for <UserID> is stale.
2019-03-20 00:38:51.803 fullGroupPath = <Dom>\<Challenge_Group>
2019-03-20 00:38:51.803 groupDomainORworkstationName = <Dom>, groupName = <Challenge_Group>
2019-03-20 00:38:51.803 m_userDomainORworkstationName = US, m_userName = <UserID>, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = false, m_bIsLocalGroup = false, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false
2019-03-20 00:38:52.041 pNameTranslate->Init failed, possibly the Global Catalog is not available.
2019-03-20 00:38:52.041 Caught HRESULT: The specified domain either does not exist or could not be contacted.
2019-03-20 00:38:52.041 ::CheckDirectDomainMember] Failed to get user path, throw E_FAIL
2019-03-20 00:38:52.041 getChallengeType has determined that the user is challenged.
2019-03-20 00:39:36.520 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:39:37.937 ::~CommonAuthenticator] Return
2019-03-20 00:40:07.908 ::LACAuthenticator] Enter
2019-03-20 00:40:07.908 Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2
2019-03-20 00:40:07.912 The Challenge Group sAMAccountName policy is <Dom>\<Challenge_Group>
2019-03-20 00:40:08.336 getChallengeType has determined that the user is challenged.
2019-03-20 00:40:13.550 SD_Init succeeded.
2019-03-20 00:40:47.180 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:40:47.681 ::~CommonAuthenticator] Return
2019-03-20 00:41:02.552 ::LACAuthenticator] Enter
2019-03-20 00:41:03.220 getChallengeType has determined that the user is challenged.
2019-03-20 00:41:08.327 ::getSIDUsername (char version)] Return
2019-03-20 00:41:59.996 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:42:00.576 ::~CommonAuthenticator] Return
2019-03-20 00:43:05.797 ::LACAuthenticator] Enter
2019-03-20 00:43:06.243 ::GetAuthDataDir] Return
2019-03-20 00:43:16.481 ::initAceClient] SD_Init succeeded.
2019-03-20 00:43:43.817 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:43:44.604 ::~CommonAuthenticator] Return
2019-03-20 00:43:58.907 ::LACAuthenticator] Enter
5x - AceGetDAAuthData success: token serial number = 0004******36
from 2019-03-20 00:39:36.520 to 2019-03-20 00:44:58.167
===SIDCredentialProvider(LogonUI).log===
2019-03-20 00:30:25.884 13296.784 [V] [WindowsAccount::WindowsAccount] Enter
2019-03-20 00:38:51.803 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:40:07.906 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:41:02.551
2019-03-20 00:43:05.794
2019-03-20 00:43:58.906
2019-03-20 00:43:58.907 13296.784 [V] [AuthMechWrapper::authenticate] Enter
2019-03-20 00:44:58.172 13296.784 [V] [WindowsAccount::setDomain] Enter
2019-03-20 00:44:58.176 authenticateResult from authenticate: returnCode=0 actionCode=0
2019-03-20 00:38:51.803 nCurrentTime: 0x5c918b9b
2019-03-20 00:38:51.803 Cached challenge status for <UserID> is stale.
2019-03-20 00:38:51.803 fullGroupPath = <Dom>\<Challenge_Group>
2019-03-20 00:38:51.803 groupDomainORworkstationName = <Dom>, groupName = <Challenge_Group>
2019-03-20 00:38:51.803 m_userDomainORworkstationName = US, m_userName = <UserID>, m_bInitialized = true, m_hrCoInitialize = 0x1, m_bIsLocalUser = false, m_bIsLocalGroup = false, m_bIsDomainUsersGroup = false, m_bIsUserFQDN = false, m_bIsGroupFQDN = false
2019-03-20 00:38:52.041 pNameTranslate->Init failed, possibly the Global Catalog is not available.
2019-03-20 00:38:52.041 Caught HRESULT: The specified domain either does not exist or could not be contacted.
2019-03-20 00:38:52.041 ::CheckDirectDomainMember] Failed to get user path, throw E_FAIL
2019-03-20 00:38:52.041 getChallengeType has determined that the user is challenged.
2019-03-20 00:39:36.520 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:39:37.937 ::~CommonAuthenticator] Return
2019-03-20 00:40:07.908 ::LACAuthenticator] Enter
2019-03-20 00:40:07.908 Unable to open preferences key "SOFTWARE\RSA\RSA Desktop Preferences\Local Authentication Settings", return = 0x2
2019-03-20 00:40:07.912 The Challenge Group sAMAccountName policy is <Dom>\<Challenge_Group>
2019-03-20 00:40:08.336 getChallengeType has determined that the user is challenged.
2019-03-20 00:40:13.550 SD_Init succeeded.
2019-03-20 00:40:47.180 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:40:47.681 ::~CommonAuthenticator] Return
2019-03-20 00:41:02.552 ::LACAuthenticator] Enter
2019-03-20 00:41:03.220 getChallengeType has determined that the user is challenged.
2019-03-20 00:41:08.327 ::getSIDUsername (char version)] Return
2019-03-20 00:41:59.996 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:42:00.576 ::~CommonAuthenticator] Return
2019-03-20 00:43:05.797 ::LACAuthenticator] Enter
2019-03-20 00:43:06.243 ::GetAuthDataDir] Return
2019-03-20 00:43:16.481 ::initAceClient] SD_Init succeeded.
2019-03-20 00:43:43.817 AceGetDAAuthData success: token serial number = 0004******36
2019-03-20 00:43:44.604 ::~CommonAuthenticator] Return
2019-03-20 00:43:58.907 ::LACAuthenticator] Enter
5x - AceGetDAAuthData success: token serial number = 0004******36
from 2019-03-20 00:39:36.520 to 2019-03-20 00:44:58.167
===SIDCredentialProvider(LogonUI).log===
2019-03-20 00:30:25.884 13296.784 [V] [WindowsAccount::WindowsAccount] Enter
2019-03-20 00:38:51.803 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:40:07.906 ::startInputCapture] Hidden dialog created, showing wait cursor.
2019-03-20 00:41:02.551
2019-03-20 00:43:05.794
2019-03-20 00:43:58.906
2019-03-20 00:43:58.907 13296.784 [V] [AuthMechWrapper::authenticate] Enter
2019-03-20 00:44:58.172 13296.784 [V] [WindowsAccount::setDomain] Enter
2019-03-20 00:44:58.176 authenticateResult from authenticate: returnCode=0 actionCode=0
Related Articles
RSA Authentication Agent for Windows shows no login tiles on the login screen Number of Views CyberArk pass-through authentication stops at the login screen when the RSA Authentication Agent 7.x for Windows is installed Number of Views Slow Windows login; Windows Password Integration (WPI) does not work for RSA Authentication Agent 7.3.3 for Windows Number of Views RSA Identity Governance & Lifecycle collector throws "Login failed. The login is from an untrusted domain and cannot be us… Number of Views Parsing Old Messages Against A New XML Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide Troubleshooting RSA MFA Agent for Microsoft Windows How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
