Three incorrect token passcodes on RSA Authentication Agent 7.4.x for WIndows causes the user's Active Directory account to lock
3 years ago
Originally Published: 2019-02-14
Article Number
000044674
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.4.x,, 7.3.3
Platform (Other): Windows
Issue
When attempting to authenticate through an RSA Authentication Agent 7.4.0[40] or 7.4.2[122] for Windows, we have noticed that if we enter an incorrect passcode we are returned to the logon prompt, we do not reach the password prompt or have the opportunity for Windows Password Integration to work.  This is expected.

If we enter three incorrect passcodes the AD User account will become locked in AD.  This behavior is only seen on a Windows agent, other agents do not lock AD accounts.  This also occurs whether or not the Authentication Manager Identity source User Enable Status on the external Identity Source (AD) is configured as manage in both directory and AM or manage only in directory.

Account enable status

It was to our understanding that a lockout of SecurID was fully independent from the AD (Domain) account and that one cannot effect the other.
Cause
The Authentication Agent for Windows GPO setting of Preserve Failed Authentication History has been set.  The Preserve Failed Authentication History GPO template file, named RSADesktop_PreserveFailedAuthHistory, contains policy settings that control whether the RSA Authentication Agent 7.2.1 (and later) displays the history of failed logon attempts when a user logs in successfully.  When the policy is enabled, the agent will submit an artificial bad password to Windows when a bad passcode is submitted. That design reflects expectation of a government agency that asked RSA to not interfere with the Microsoft AD policy.

Enabling this policy would make the RSA agent respect Local or AD lockout policy settings, which in this case were set to three failures to produce a lockout.
 
Windows Account Lock
Resolution
Disable or remove the RSADesktop_PreserveFailedAuthHistory GPO policy.

The Do Not Preserve History (default) mode enables display of descriptive authentication failure messages to users during log on but does not preserve failed authentication history for display at successful log on, when Windows is configured to show last interactive log on information.
Workaround
A workaround would be to raise the AD lockout count.

Related Articles

Trending Articles

Don't see what you're looking for?