Updating RSA SecurID Access SSL portal certificate can break Authenticate App tokencode - Authentication Manager integration

2 years ago

Originally Published: 2017-07-24

Article Number

000040739

Applies To

RSA Product Set: SecurID Access

Issue

After updating the IDR portal certificate via My Account > Company Settings, SecurID authentication with the Authenticate App no longer works.
When attempting authentication, the Authentication Manager Authentication Activity Monitor shows:

RSA SecurID Access Authenticator Tokencode verification failed for user "<username>" Unexpected return code or unexpected exception occurred.

Cause

The new certificate is chained from a different root certificate than the original certificate.

The Authenticate App<->Authentication Manager agent integration (both trusted realm for SecurID Access-only users and the Authenticate App integration for Authentication Manager users) depends on the Authentication Manager trusting the IDR root certificate. Changing the IDR root certificate will break either type of existing IDR<->Authentication Manager trust relationship.

Resolution

If using a trusted realm for Authenticate App integration (SecurID Access-only users), delete the existing trusted realm in the Security Console and then re-run the manage-securid-access-trusts command line utility per Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.
If Authentication Manager users are using the Authenticate App to authenticate through SecurID Agents then load the IDR's new root certificate per step 6 of Configure RSA Authentication Manager to Handle Authenticate Tokencodes.

Notes

If the root certificate has not changed then updating the SecurID Access portal certificate should not affect Authenticate App authentication.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles