Agent 7.X for IIS 7.5 on Windows 2008 for SecurID: AUTHN_METHOD_FAILED when trying to authenticate
2 years ago
Originally Published: 2012-09-28
Article Number
000052084
Applies To
-Real time authentication monitor shows "AUTHN_METHOD_FAILED
-All network connectivity has been verified, including name resolution
-The machine is not dual/multi homed
-The ip address being sent per the real time monitor is correct
-There are no firewalls between the servers
-the node secret (securid) file is not being recieved by the IIS server
-agent is set up properly in the security console of the AM server

Issue
Agent 7.X for IIS 7.5 on Windows 2008r2 for SecurID: AUTHN_METHOD_FAILED when trying to authenticate

Cause
While this is not the only cause of AUTHN_METHOD_FAILED, pay particular attention to the setting of DEP on windows server 2008. When DEP is set system wide for all programs, this can will prevent the the windows server from accepting the securid file (node secret), which the server by default pushes over on the first authentication request.  Without the node secret, the authentication request will be denied, even when the credentials are valid.

Resolution
To test to see if this is the root cause of the node secret not being received by the IIS server agent, disable DEP using one of the two methods below:

Via gui:

Go to Start, right click on Computer and finally click on Properties. Now in the System window click on Advanced System Settings.
In the System Properties Windows, under Performance click Settings
In the Performance Options windows, navigate to Data Execution Prevention tab and select the second option ?Turn on DEP for all programs and services except those I select"

Via the command line:

click start->run->cmd
At the command line, simply type the following command and hit return:

   bcdedit.exe /set {current} nx AlwaysOn
  
 Retest authentication with the test utility provided with the IIS agent.

If this corrects the problem, you can re-enable DEP by reversing the above procedures, but excluding RSA from DEP override.

Contact Microsoft support for additional details on customizing the configuration of DEP.



Notes
DEP is a Microsoft security feature which disallows executable files that need to access system memory from doing so.  The RSA agent follows this model, as it accesses system memory.  The RSA agent must be excluded from DEP.   Whenever a program that accesses memory is used, DEP is executed to check its validity.  When memory is accessed, and DEP does not either recognize the component as a Microsoft component  or the component is not excluded from DEP, it will automatically terminate it. This issue is common with 3rd party programs running on the Microsoft 2008 platform.

Related Articles

Trending Articles

Don't see what you're looking for?