SecurID Authenticate Tokencode Integration Issues and Solutions
13 days ago

SecurID Authenticate Tokencode Integration Issues and Solutions

If you receive an error that is related to the SecurID Authenticate Tokencode integration, perform the tasks listed in the following table.

 

Issue

Solution

General Integration Issues
Existing RSA Authentication Manager 8.2 SP1 and 8.3 users who do not have an active RSA SecurID hardware or software token assigned to them are unable to authenticate with the Authenticate Tokencode.

See Enable the RSA SecurID Authenticate App for Specific Users to enable these users to use the Authenticate Tokencode.

Version 8.4 users without active tokens do not require this procedure.

An error message states that the node secret is not available on the authentication agent.

or

The node secret does not exist on the authentication agent, but there is no error message.

The node secret encrypts communication between an authentication agent and AM. Node secrets are required for users to authenticate on RSA authentication agents.

If you install a new authentication agent, make sure that there is a node secret. AM automatically creates and sends the node secret to the authentication agent after a user successfully authenticates to the agent with an RSA SecurID hardware token, an RSA SecurID software token, or a fixed passcode, or after an administrator manually creates the node secret with the Node Secret Load Utility. Using the RSA Authenticator app for Authenticate Tokencode or PIN with Approve authentication does not create the node secret.

You might need to refresh the node secret when an administrator has cleared the node secret on both an authentication agent and the AM instance. For instructions, see Refresh the Node Secret .

A user already has the maximum number of tokens.

You can assign up to three active tokens per user, unless an administrator reduces this number, as described in Restrict the Number of Active Tokens per User. The RSA SecurID Authenticate app counts against this limit.

Disable or unassign at least one active RSA SecurID hardware or software token.

SecurIDTrusted Realm Integration Issues
Authentication fails intermittently when AM is configured to send SecurID Authenticate Tokencodes to an IDR SSO Agent trusted realm.

In this configuration, any changes in the Cloud Authentication Service deployment require updates in AM. For example, you can provide AM with the updated hostname or IP address used by the SecurID identity router. For instructions, see Repair an RSA Trusted Realm.

If the trusted realm uses more than one IP address, edit the hosts file, as described in Add an SecurID Deployment to RSA Authentication Manager as a Trusted Realm.

Time-based RSA SecurID tokencode and Authenticate Tokencode authentication fails, even though users are entering the correct information.

The time difference between the RSA Authentication Manager instance and the identity router is greater than 50 seconds. Make sure the RSA Authentication Manager instances and identity routers synchronize the time against the same Network Time Protocol (NTP) server.

On each RSA Authentication Manager primary or replica instance, log on to the Operations Console and select Administration > Date & Time.

To change the time on the RSA identity router, contact your Cloud Authentication Service administrator.

The connection between AM and the Cloud Authentication Service repeatedly times out.By default, AM waits 30 seconds for a response after sending an authentication request, but you can increase this value. For instructions, see Configure a Timeout Setting for Authentication Requests.

An authentication agent rejects SecurID Authenticate Tokencodes. Other authentication agents send Authenticate Tokencodes to the Cloud Authentication Service.

For each authentication agent being used with the RSA trusted realm, selectEnable Trusted Realm Authentication.

For instructions, see Add an Authentication Agent.

 

Users cannot be found in the RSA trusted realm.

Contact your RSA administrator.

The Cloud Authentication Service administrator might need to synchronize the identity source with the Cloud Authentication Service. For instructions, see the RSAIDR SSO AgentSetup and Configuration Guide.

A user who exists in an SecurID identity source cannot authenticate with an Authenticate Tokencode.

Ask the user to authenticate again. If authentication continues to fail, then contact your Cloud Authentication Service administrator.

The Cloud Authentication Service administrator might need to see the Help topic Troubleshooting Cloud Access Service User Issues for possible solutions.

Cloud Authentication Service Issues When Using SecurID Authentication

Authentication fails intermittently when RSA SecurID is used as an authentication method to protect SaaS and on-premise web applications.

Authentication can fail if the static route between AM and the IDR SSO Agent needs to be updated. For example, update the static route if a new AM replica instance is added, an existing AM primary or replica instance has a new IP address, or the hostname of the identity router changes.

For instructions, see the Help topic Static Routes.

Authentication can fail for other reasons. In AM, do the following:

  • Verify that the user entered the RSA SecurID PIN and tokencode correctly.
  • On the AM Security Console Home page, use the Quick Search drop-down list to locate the user:
    • Check to see if the user's token is disabled.
    • Check to see if the user's account is locked.

 

 

Related Tasks

Configure a Timeout Setting for Authentication Requests

Repair an RSA Trusted Realm

Add an SecurID Deployment to RSA Authentication Manager as a Trusted Realm

Related References

Options for manage-securid-access-trusts

 

 

 

Related Articles

Trending Articles

Don't see what you're looking for?