User initially shows passcode accepted and node secret sent, but second authentication fails with node secret mismatch: cleared on agent but not on server for RSA Authentication Agent 7.x for Windows
4 years ago
Originally Published: 2001-10-31
Article Number
000056120
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows  
RSA Version/Condition: AAWin 7.x, IIS agent 7.x or 8.x UDP
Issue

The user initially receives a message of passcode accepted. The RSA Authentication Manager server log shows that the passcode was accepted and the node secret is sent to the agent. However, the second and subsequent authentication attempts fail with the RSA Authentication Manager server log showing the following message:

Node secret mismatch: cleared on agent but not on server.

RTM_NS_mismatch_cleared_agent
 

Cause
The error happens because the node secret cannot be written on the RSA Authentication Agent.

This could be a user permissions or UAT issue. The user may not have rights to write to Winnt\System32 or the registry or disk on this computer.

RSA Authentication Agent 7.x for Windows writes the node secret file named securid to C:\Program Files\Common Files\RSA Shared\\Auth Data.
Resolution
The node secret on an RSA Authentication Agent for Windows is named securid and is stored on the agent in C:\Program Files\Common Files\RSA Shared\\Auth Data.

If the node secret was sent to the agent, but does not exist on the agent, the problem is that the node secret was not written to C:\Program Files\Common Files\RSA Shared\\Auth Data (for Windows Agent) or not written to \Program Files\RSA Security\RSAWebAgent (for IIS agent), after it was sent to the agent. This indicates some type of permissions or privilege issue, or a locked down folder due to UAT.

The resolution would be to ensure that the node secret can be written to the C:\Program Files\Common Files\RSA Shared\\Auth Data directory, by doing one or more of the following:
  • Disabling or modifying UAT,
  • Open the RSA Control Center or Test Authentication with "Run As Administrator" right click, for elevated permissions. Perform the initial authentication with the RSA Control Center by doing a Test Authentication with a local administrator account, or
  • Modifying the folder permissions on C:\Program Files\Common Files\RSA Shared\\Auth Data to allow read/write permissions to the application.
Workaround
As a workaround, turn off UAT or perform the initial authentication twice with an administrator account.
Don't see what you're looking for?