Readme
RSA Authentication Agent 6.1.1 for Microsoft Windows

July 7, 2006

Introduction

This document lists late-breaking information for RSA Authentication Agent 6.1 for Microsoft Windows. Read this document before installing the software. This document contains the following sections:

• Product Documentation
• Required Service Packs and Fixes
• Patch Installation and Information
• Resolved Issues
• Known Issues
• Variation From Microsoft Compliance
• Getting Support and Service

This Readme may be updated. The most current version can be found on RSA SecurCare Online https://knowledge.rsasecurity.com. To print this Readme, click here.

Product Documentation

RSA Authentication Agent 6.1 for Microsoft Windows includes the following documentation:

• RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide - authagt_admin.pdf
• RSA SecurID for Microsoft Windows Planning Guide 1.1 - secid_planning.pdf
• RSA Authentication Agent 6.1 for Microsoft Windows Readme (this document) - authagt_readme.html
• RSA SecurID Wireless Authentication Solution Guide - authagt_wireless_solution.pdf
• RSA Authentication Agent 6.1 for Microsoft Windows Help

The following documents have been updated for the 6.1.1 product release:

• RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide
• RSA SecurID for Microsoft Windows Planning Guide 1.1
• RSA Authentication Agent 6.1 for Microsoft Windows Readme

The RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide has been updated as follows:

• The section "Customization Options" in the chapter "Overview" includes a description of the language localization feature.
• The section "General Requirements" in the chapter "Requirements and Preparations" includes a correction to the amount of free disk space recommended.
• The chapter "Installing RSA Authentication Agent 6.1 for Microsoft Windows" includes instructions for applying the language localization feature.
• The subsection "Domain Authentication" in the section "What to Install" in the chapter "Installing RSA Authentication Agent 6.1 for Microsoft Windows" includes an Important note that tells you not to install the Domain Authentication Server component on a computer that is not a domain controller.
• The subsection "Terminal Services Authentication" in the section "What to Install" in the chapter "Installing RSA Authentication Agent 6.1 for Microsoft Windows" includes a correction. For terminal services domain authentication, you need to install only the Domain Authentication Client component on the terminal server.
• The chapter "Customizing RSA Authentication Agent 6.1 for Microsoft Windows" includes a description of the language localization feature.

The RSA SecurID for Microsoft Windows Planning Guide 1.1 has been updated as follows:

• The section "Customization Options" in the chapter "Introduction" includes a description of the language localization feature.
• The section "Supported Platforms and Requirements" in the chapter "Introduction" includes a correction to the amount of free disk space recommended for the Authentication Agent.

The RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide and the RSA SecurID for Microsoft Windows Planning Guide 1.1 have not been reversioned for this release. However, the front matter of the RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide and the RSA SecurID for Microsoft Windows Planning Guide 1.1 lists two dates of printing - the date the books were printed for the original 6.1 product release, and the date the updated books were printed for the 6.1.1 product release.

The RSA Authentication Agent for Microsoft Windows 6.1 Readme has been reversioned to RSA Authentication Agent for Microsoft Windows 6.1.1 Readme.

You can access the Installation and Administration Guide, the Planning Guide, and the Readme directly from the RSA Authentication Agent 6.1.1 for Microsoft Windows downloadable .zip file (this patch). However, you can access the Help only by installing RSA Authentication Agent 6.1.1 for Microsoft Windows.

Top

Required Service Packs and Fixes

• For wireless authentication using EAP, access points must support 802.1x authentication.

• To use wireless LAN with PEAP, install SP2 for Windows XP or SP1 for Windows Server 2003. If you cannot update to the current service pack, you must install Microsoft hot fix Article ID #827537 on the Windows XP client and the Windows Server 2003 host. To get the fix and installation instructions, see "Windows XP Service Pack 1 and Windows Server 2003 wireless clients are not compatible with RSA Security Extensible Authentication Protocol (EAP) type" in the Microsoft Knowledge Database at www.microsoft.com.

• For Windows Server 2003, if Terminal Services or Citrix Metaframe users are prompted to authenticate with RSA SecurID even though you configured the terminal server for standard Windows authentication, install Microsoft fix Article ID #838462 available in the Microsoft Knowledge Database at www.microsoft.com.

Top

Patch Installation and Information

Installing the Patch

To install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch (authagt_win_6.1.1.exe), you must be running RSA Authentication Agent 6.1 for Microsoft Windows. Install this patch ONLY on build 297 of this software. If you are not running build 297, contact RSA Security Customer Support. To verify the version number, do the following:

1. Log on to the RSA Authentication Agent host computer as an administrator.
2. Click Start > Programs > RSA Security > RSA Security Center.
3. Click Help > About RSA Security Center.

Important: You must install RSA Authentication Manager 6.1 for Microsoft Windows before you install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch.

Installing the RSA Authentication Agent 6.1.1 for Microsoft Windows Patch

You can install this patch manually on each computer running RSA Authentication Agent 6.1 for Microsoft Windows, or you
can perform a network installation. There are two types of network installations. You can perform a network installation that automatically restarts all of the computers running the Authentication Agent. Alternatively, you can perform a network installation that does not automatically restart all of the computers running the Authentication Agent.

Important: After installing the Authentication Agent 6.1.1 patch, you cannot log on to a client computer until you restart the computer. If you perform a network installation that does not automatically restart all of the computer running the Authentication Agent, you must restart the computers manually.

To install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch manually:

1. Double-click authagt_win_6.1.1.exe.
2. Follow the prompts to complete the installation.
3. Restart the computer.

To perform a network installation that restarts the Authentication Agent computers automatically:

Important: Before you perform the installation, all domain client computers must be running.

To perform a network installation, you must use Microsoft System Management Server (SMS). In your SMS environment, type the following command:

authagt_win_6.1.1.exe /s /v"/qn REINSTALL=ALL REINSTALLMODE=omus"

To perform a network installation that does not restart the Authentication Agent computers:

Important: Before you perform the installation, all domain client computers must be running.

To perform a network installation, you must use Microsoft System Management Server (SMS). In your SMS environment, type the following command:

authagt_win_6.1.1.exe /s /v"/qn REBOOT=ReallySuppress REINSTALL=ALL REINSTALLMODE=omus"

Important: You must disable the offline authentication feature on the Primary Authentication Manager immediately after you install this patch. Offline authentication must remain disabled for a minimum of 12 hours. Doing this enables domain client computers to receive updated offline data.

To disable offline authentication:

1. On the Primary Authentication Manager, on the System menu, click System Configuration > Edit Offline Auth Config....
2. In the Edit Offline Authentication dialog box, clear Enable Offline Authentication at System Level.
3. Click OK.

Top

Resolved Issues

The RSA Authentication Agent 6.1.1 for Microsoft Windows patch resolves the following issues:

Tracking number: 25406
The patch enables the Local Authentication Client component to read passcodes from SID800 tokens when using the Offline Days Status screen to recharge the supply of offline days.

Tracking number: 25200 and 21153
The ability to invoke RSA Security EAP and RSA Security Protected OTP authentication from the Desktop Logon dialog using Log on using dial-up connection does not work. The patch fixes this problem so that both RSA Security EAP methods are supported for remote dial-up or VPN access.

Tracking number: 24374
The RSA Authentication Agent EAP client component uses the Microsoft Windows EAP system to save user information between authentications. Without the patch, saved information from failed and cancelled authentication attempts is not cleared, and the Authentication Agent does not prompt the user to authenticate with a different user name.

Tracking number: 24199
Without the patch, clicking Clear Offline Days in the RSA Security Center more than once causes an error that prevents the download of offline days until the RSA Security Center is closed.

Tracking number: 24188
Without the patch, when the offline authentication feature is disabled, the Pin Unlock feature prompts users for RSA SecurID passcodes instead of only their PINs.

Tracking number: 23802
The patch fixes a problem that can prevent users from logging on to their Microsoft Windows desktops. Without the patch, the workaround to the problem is to restart the desktop computer or restart the domain controller.

Tracking number: 23586
Without the patch, when both the Domain Authentication Client component and Local Authentication Client component are installed on the same computer, the PIN unlock option does not work for the Local Authentication Client computer.

Tracking number: 23579
The patch fixes a security vulnerability in which desktops protected with RSA Authentication Agent 6.1 for Microsoft Windows can be accessed by a second user with a valid userID after the first user has locked the desktop. The vulnerablility allows an unauthorized user to unlock an authenticated user’s desktop.

Tracking number: 18197
In RSA Authentication Agent 6.1 for Microsoft Windows, you cannot authenticate from a computer running both the Agent Domain Authentication Client component and the Agent Domain Server component when the Authentication Manager is unavailable, even if up-to-date offline data for your account exists. However, you can use your offline data to authenticate from computers running only the Agent Domain Client component. After you install the patch, when the RSA Authentication Manager is offline, you can successfully authenticate using offline data stored on the domain controller.

Tracking number:19975
In RSA Authentication Agent 6.1 for Windows, you cannot authenticate offline to a system that is suspended due to low battery power. This problem occurs because of a misinterpretation of the change in system time associated with the forced suspension. After you install the patch, the Agent recognizes the suspension of the system and correctly handles the time change at restart.

Tracking number: 21693
Without the patch, when you use RSA Security EAP with PEAP, the RSA Security EAP component inapproprietly attempts to validate the NAS IP address. Since this address is not provided during a PEAP authentication, the authentication fails.

Tracking number: 20546
Certain Windows applications repeatedly attempt to authenticate users even after the user receives an "Access Denied" message from the Agent authentication process. As a result, users are locked out of their Windows accounts. The lock-out occurs because of the return code that the sub authentication process passes back to Windows. In the patch, the return code has been changed from an authentication failure to an authorization failure code. The patch fixes all known Windows account locking issues.

Tracking number: 22190
Without the patch, alphanumeric PINs containing capital letters do not work with RSA Security Protected OTP. This happens because the RSA Security Protected OTP client does not correctly convert them to lowercase. Since the server treats all PINs as lowercase, all authentication attempts using PINs with capital letters fail. With the patch, the RSA Security Protected OTP client correctly converts all input to lowercase before transmitting it to the Authentication Manager.

Tracking number: 21522
Without the patch, for some users, the Offline Days Status screen in the RSA Security Center does not open when users right-click the RSA Security Center icon in the notification area of the Windows taskbar, then click View Offline Days.

Tracking number: 22390
Without the patch, the Never expire option for session certificates in the RSA Security Center does not work properly.

Tracking number: 22135
Without the patch, uninstalling the Agent Remote Authentication Server component leaves the Windows RRAS service unable to start. In the patch, the registry setting that causes this problem has been removed.

Tracking number: 21693
The patch fixes an intermittent failure that occurs when RSA Security EAP is used with PEAP and RADIUS Client Check.

Tracking number: 22184
Without the patch, under certain circumstances, when the Windows Agent clock is tampered with, offline
authentication fails.

Tracking number: 22454
Without the patch, when you use RSA Security Protected OTP, users are always allowed to select a system-generated PIN, even if the policy controlling this option is turned off.

Tracking number: 22460
Without the patch, when the Authentication Manager rejects a user's PIN, the RSA Security Protected OTP client does not allow the user another opportunity to enter a valid PIN. With the patch, the Authentication Manager prompts the user up to three times for a valid PIN.

Tracking number: 19977
With the patch, the RSA Security Protected OTP client is more specific in the error messages it logs.

Tracking number: 22516
Without the patch, RSANetUse does not correctly map a shared drive whose name contains spaces.

Tracking number: 20475
Without the patch, the SDEAP module occasionally spawns multiple authentication windows.

Tracking number: 20190
The patch fixes a typographical error in the RSA Security Center.

Tracking number: 22995
With the patch, the legal notice page always appears before logon, and properly displays the legal notice.

Tracking number: 23151
The patch fixes a compatibility issue with Citrix in which credentials are not properly auto-submitted.

File Updates

The following files are updated when you install this patch:

\windows\System32

• sdagentsa.dll
• sdagentsa2k.dll

\Program Files\RSA Security\RSA Authentication Agent\

• 3gLgnRc.dll
• 3gLgnRcENU.dll
• 3gLgnRcJPN.dll
• aceclnt.dll
• acegina.dll
• authagt_admincombohelpJPN.chm
• authagt_adminhelpJPN.chm
• authagt_usercombohelpJPN.chm
• authagt_userhelpJPN.chm
• ConfigSIDAdvSettings.dll
• ConfigSIDAdvSettingsJPN.dll
• ConfigSIDAuthTest.dll
• ConfigSIDAuthTestJPN.dll
• ConfigSIDDomain.dll
• ConfigSIDDomainJPN.dll
• ConfigSIDDomainClient.dll
• ConfigSIDDomainClientJPN.dll
• ConfigSIDDomainServer.dll
• ConfigSIDDomainServerJPN.dll
• ConfigSIDLocal.dll
• ConfigSIDLocalJPN.dll
• ConfigSIDRemote.dll
• ConfigSIDRemoteJPN.dll
• ConfigSIDRemoteEAP.dll
• ConfigSIDRemoteEAPJPN.dll
• ConfigSIDRemoteRAS.dll
• ConfigSIDRemoteRASJPN.dll
• ConfigSIDServerEnv.dll
• ConfigSIDServerEnvJPN.dll
• ConfigSIDTroubleShoot.dll
• ConfigSIDTroubleShootJPN.dll
• ConfigSIDWelcome.dll
• ConfigSIDWelcomeJPN.dll
• da_svc.exe
• da_svc_nla.dll
• HomeSIDOfflineDays.dll
• HomeSIDOfflineDaysJPN.dll
• rsanetuse.exe
• rsanetuseui.exe
• rsanetuseuiJPN.dll
• rsapwdfilt.dll
• rsarunas.exe
• rsarunasJPN.dll
• rsarunasdlg.exe
• rsarunasdlgJPN.dll
• sdagentrt.dll
• sdagentsvc.exe
• sdagentuisvc.exe
• sdagentuisvcJPN.dll
• sdeap.dll
• sdproxysvc.exe
• sdui.dll
• sduiJPN.dll
• SecurIDNIAPlugIn.dll
• SecurIDNIAPlugInJPN.dll
• SIDProductInfoPlugIn.dll
• SIDProductInfoPlugInJPN.dll
• sidauthenticator.dll

\Program Files\Common Files\RSA Shared\

commonlogevents.dll

\Program Files\Common Files\RSA Shared\RSA Security Center

• Locale.dll
• PageBase.dll
• RegDLLLoader.dll
• RSANotificationIcon.exe
• RSANotificationIconENU.dll
• RSANotificationIconJPN.dll
• SCACpl.cpl
• SCApp.exe
• SCAppENU.dll
• SCAppJPN.dll
• TabConfiguration.dll
• TabConfigurationENU.dll
• TabConfigurationJPN.dll
• TabHome.dll
• TabHomeENU.dll
• TabHomeJPN.dll

\Program Files\Common Files\RSA Shared\Authentication Framework\

• authsvc.dll
• ctauthmech.dll
• fobauthmech.dll
• softidatuhmech.dll

\Program Files\Common Files\RSA Shared\BackendUI\

• backenduisvccore.dll
• backenduisvccoreJPN.dll
• uiservice.exe

Known Issues

Interoperability

• If you install RSA Sign-On Manager on a computer that hosts RSA Authentication Agent 6.1 for Microsoft Windows, RSA Sign-On Manager removes the Authentication Agent installation. If you want to install the Authentication Agent on a computer that hosts RSA Sign-On Manager, you must uninstall RSA Sign-On Manager before installing the Authentication Agent.

• RSA Authentication Agent 6.1 for Microsoft Windows is not compatible with pcAnywhere.

• The RSA SecurID for Microsoft Windows solution does not support smart card-based logon. RSA Security recommends that you disable the smart card service on client computers that host RSA Authentication Agent 6.1 for Microsoft Windows. If the smart card service on the client computer is not disabled, smart card authentications bypass RSA SecurID authentications.
  

• To use RSA Authentication Agent 6.1 for Microsoft Windows and Novell on the same computer, you must install Novell before installing the Authentication Agent. When you install the Authentication Agent, the installer warns you that another GINA (the Novell GINA) is already installed. When you are prompted, choose to replace the Novell GINA with the Authentication Agent GINA.

• If you want to replace the RSA Authentication Agent 6.1 for Microsoft Windows GINA with another GINA, uninstall the Authentication Agent before installing the other GINA software.

• If you are using RSA Authentication Agent 6.1 for Microsoft Windows Local Authentication with RSA Keon Web PassPort, and you want to uninstall the Authentication Agent or Web PassPort, you must uninstall the Authentication Agent first, then uninstall Web PassPort. You must then reinstall the component you want to use.

  Important: If you uninstall RSA Keon Web PassPort before you uninstall the Authentication Agent, you cannot log on to the Authentication Agent host computer.

Installation

• In the RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide, the instructions for installing the Authentication Agent assume you are downloading the RSA Authentication Agent 6.1 for Microsoft Windows .zip file and copying the RSA Authentication Agent for Windows .msi file from the .zip file to each computer that will host an Authentication Agent component. However, you may have received the Authentication Agent software on a CD instead of downloading it. If this is the case, copy the RSA Authentication Agent for Windows .msi file from the RSA Authentication Agent 6.1 for Microsoft Windows CD to each computer that will host an Authentication Agent component.
  

• After installing RSA Authentication Agent 6.1 for Microsoft Windows, you must complete the installation by restarting the Authentication Agent host computer. Installing the Agent modifies the registry to reference the Authentication Agent GINA (AceGina.dll) instead of the Microsoft GINA (msgina.dll).

• Installing or uninstalling RSA Authenticator Utility on a computer that also hosts RSA Authentication Agent requires additional steps if the only Authentication Agent components installed are the Remote Authentication Server component or the RSA Security EAP Client component.
  
  If you manually installed only the Authentication Agent Remote Authentication Server component or RSA Security EAP Client component, and then install the Authenticator Utility, perform the following steps:

1. After you install the Authenticator Utility, run the Authentication Agent installation program in Repair mode.
2. Open RSA Security Center and reconfigure the remote authentication settings.
   
   

If you manually installed only the Authentication Agent Remote Authentication Server component or RSA Security EAP Client component, and then uninstall the Authenticator Utility, perform the following steps:

1. After you uninstall the Authenticator Utility, run the Authentication Agent installation program in Repair mode.
2. Open RSA Security Center and reconfigure the remote authentication settings.
   
   

If you silently installed only the Authentication Agent Remote Authentication Server component or RSA Security EAP Client component, and then install the Authenticator Utility, silently reinstall the Authentication Agent components.

If you silently installed only the Authentication Agent Remote Authentication Server component or RSA Security EAP Client component, and then uninstall the Authenticator Utility, silently reinstall the Authentication Agent components.

• On Windows XP, to use Microsoft Systems Management Service (SMS) to install a silent installation package, you must configure SMS to run under an administrator account on the target computer. If you configure SMS to run under the SMS software installation account on the target computer, silent installation fails. The network installation package creation program assumes that the Windows msiexec.exe file is located in the \system32 directory of the computer from which the installation package will be executed. If the msiexec.exe file is in a location other than the \system32 directory, perform the following steps:
1. Follow the instructions in the RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide to create a network installation package.
2. Open the SilentInstall.bat file in a text editor.
3. Edit the file to include the full pathname of the msiexec.exe file (for example, "SystemFolder\msiexec.exe).
   
   
• RSA Authentication Agent 6.1 for Microsoft Windows installs and supports local, remote, and domain access to Windows operating systems. Administrators can use the RSA Authentication Agent 6.1 for Microsoft Windows to authenticate users accessing their computer desktops, as well as users accessing the network remotely through Routing and Remote Access Server (RRAS) or Internet Authentication Server (IAS) on Windows 2000 Server and Windows Server 2003. The RSA Authentication Agent 6.1 for Microsoft Windows does NOT install or support Web access.

Configuration

• On the Domain Authentication Server host, the Challenge Settings page in the RSA Security Center includes the Exclude user option. This option consists of a checkbox and a field. Selecting this option tells the RSA Authentication Agent to exclude a user from RSA SecurID challenge when the domain controller is started in Restore mode. However, the only field entry that is accepted by the system is administrator. If you enter a user name in the field instead of administrator, no one is excluded from challenge when you start the domain controller in Restore mode.

  If you select the Exclude user option and enter administrator in the field, when you start the domain controller in Restore mode, enter administrator as the user name, and enter the directory services Restore mode password. You create this password when you configure Microsoft Active Directory.

• For wireless authentication using Cisco, if you mistakenly install Cisco PEAP on a client computer instead of installing Microsoft EAP, perform the following steps:

1. Use the Cisco Installation Wizard to uninstall the Cisco software.

   Important: Do not use the Microsoft Windows Add/Remove program.

2. Reinstall the Cisco software without PEAP.

Authentication

General Authentication

• The option Enable RADIUS client check verifies whether remote authentication requests originate from a device (for example, Microsoft IAS Server, a remote access server, or a network access server) that is registered as an Agent Host in the RSA Authentication Manager database. If the device is not registered as an Agent Host, the authentication request is denied. For example, when this option is enabled, authentication requests originating from network access devices are denied unless the network access devices are registered as Agent Hosts in the Authentication Manager database. By default, this option is disabled. However, this option does not work in environments that use the following protocol set-ups:
  • RSA Security EAP over PEAP
  • RSA Security Protected OTP over PEAP

• If you configure RSA Security EAP for use with Microsoft Windows RAS or Microsoft Windows IAS, the following applies:

By default, user names entered without a domain, or with a domain specified in the format domain\user name
authenticate to the Authentication Manager as the plain user name.

If your system uses multiple domains, you can use the RSA Security Center on the remote server computer to enable the option Send user name to RSA Authentication Manager in "domain\user name" format. This option passes the local domain, or user-specified domain, to the Authentication Manager. To enable this option:

1. In the left pane of the RSA Security Center, click Configuration > Remote > EAP.
   The Remote EAP Configuration page opens in the right pane.
2. On the Remote EAP Configuration page, under Authentication Settings, click Settings.
3. On the Authentication Settings page, select the option Send user name to RSA Authentication Manager in "domain\user name" format.

Note: For this option to work, the user accounts in the Authentication Manager must be configured with the domain name included in the user name.

If a user enters a user name in the format username@domain (referred to as the User Principal Name or UPN), by default, the UPN is converted to the format domain\username, and the domain will always be included. You cannot suppress the domain name if this format is used.

If you need to pass UPN format names to the Authentication Manager, you must change the registry setting.
HKEY_LOCAL_MACHINE\Software\RSA Authentication Agent\Current Version\Settings\SDRAS\ConvertEapFQNames from the default setting 1 to the setting 0. If you change the setting in this way, UPN names are not be converted by EAP and are passed to the Authentication Manager verbatim.

However, IAS attempts to convert UPN names to domain format to check user names against remote access policies. If the users are not Windows users, you must reconfigure the remote access policy so that it does not require Windows authentication. Normally, IAS can convert the UPN format names, but in some situations you may need to define a domain stripping policy for the User-Name attribute. For help with realm names, see the Windows IAS documentation.

• If you change the machine name or static IP address of an Authentication Agent host computer, after you restart the computer, you cannot log on to the Authentication Agent host computer, and the system issues the message "Agent Host Not Found." To prevent this from happening, perform one of the following procedures.

  To change the machine name of an Authentication Agent host computer:

1. On the Authentication Agent host computer, set the RSA SecurID challenge to None.
2. Change the machine name.
3. Set the challenge to a setting other than None, and select the challenge group based on the new machine name.

If you have already changed the machine name of an Authentication Agent host computer without performing the preventative steps listed above, perform the following steps:

1. Restart the Authentication Agent host computer in Safe mode.
2. Log on as an administrator.
3. Set the challenge to None.
4. Restart the computer.
5. Log on as an administrator.
6. Set the challenge to a setting other than None, and select the challenge group based on the new machine name.

To change the static IP address of an Agent host computer:

Change the IP address of the Authentication Agent host computer, then restart the computer.

• RSA Authentication Agent and RSA Authentication Manager do not support leading zeros (for example, 0123) in PINs used for PINPads and software tokens. If a user creates a PIN that contains leading zeros, the PIN is rejected by the Authentication Manager and the system reprompts the user for a passcode. However, the system does not issue a message saying that the PIN is invalid.

• Setting the session certificate time-out parameter should determine when users' authentication sessions expire, and therefore, when users are reprompted for RSA SecurID passcodes. You can set the session certificate expiration time from 5 minutes to 1,440 minutes (one day). The default expiration for the session certificate is 5 minutes. However, for some operations, the Kerberos renewal ticket, one of the Microsoft domain settings, overrides the session certificate. Therefore, users are reprompted for RSA SecurID passcodes when the Kerberos renewal ticket expires and not when the session certificate expires. The default expiration time for the Kerberos renewal ticket is 10 days.

• Although the RSA Authentication Manager allows the @ sign as part of a user name, Windows Active Directory does not.

Authentication Using the RSA SecurID Authenticator SID800 USB Token

• When you use a connected RSA SecurID Authenticator SID800 USB token, the Time Remaining field on the RSA Security Center View USB Token page shows that the tokencode is valid for a greater amount of time than it is actually valid. Regardless of how long a tokencode has displayed, every time you reopen the View USB Token page, the Time Remaining field starts a new count instead of beginning the count at the actual amount of time the tokencode remains valid. Therefore, the Time Remaining field and the actual time the tokencode remains valid may differ by as much as 60 seconds.

• When you authenticate with a connected RSA SecurID Authenticator SID800 USB token that is in Next Tokencode mode or New PIN mode, the system may take 30 seconds after the next tokencode appears on the authenticator to submit the next tokencode to the authentication process.

• You can use the RSA SecurID Authenticator Utility on a terminal server only to authenticate to the console. The Authenticator Utility does not work with terminal sessions.
  

Domain Authentication

• When a user downloads offline data, his or her user name is added to a file on the user's local computer. This file is named challengedinfo.dat and is stored, by default, in C:\Documents and Settings\All Users\Application Data\RSA Security\Domain on Domain Authentication Client hosts and in C:\Documents and Settings\All Users\Application Data\RSA Security\Local on local authentication component hosts. The file contains a list of local users to be challenged for RSA SecurID passcodes when they authenticate offline. If you change an offline domain user’s challenge status, for example, by removing the user from a challenge group, you also need to delete the user’s name from the challengedinfo.dat file on the user’s computer. Otherwise, the user still receives a challenge when attempting to access the desktop using a domain account. Be certain to delete all instances of a user's name from the file.

• After you import a software token to a domain client computer, you must log off of the domain client computer and log on again to enable the software token. If you are working from a remote session, you must restart the computer.

• If you set the challenge for domain users on the RSA Security Center Challenge Settings page to All users, the following erroneous behavior occurs:

  • The Exclude user option is ignored. Under ordinary circumstances, this option exempts the domain controller administrator from challenge when logging on to the domain controller in Directory Services Restore Mode (DSRM).

  • The administrator is unable to log on to the domain controller in DSRM.

  To enable the administrator to log on to the domain controller in Directory Services Restore Mode while the challenge for domain users is set to All users, you must select Disable local users' access to this computer on the RSA Security Center Windows Logon Settings page on the domain controller. The administrator can then log on to the domain controller in DSRM by entering a valid RSA SecurID passcode and the DSRM password when prompted.

• If you enable domain client registration in the RSA Security Center, and then change the remove:security policies for a domain client computer, you must restart the client computer for the security policies to take effect.

• If domain authentication fails on a domain authentication client computer running Windows XP SP2, and the firewall on the client computer was initially turned off, check the firewall settings. Although the firewall service on Windows XP SP2 clients may have been stopped, the service may restart itself and prevent the Domain Authentication Client component from communicating with the Domain Authentication Server component on the domain controller. If this occurs, domain authentication for online users fails. Domain authentication for offline users succeeds, but Active Directory passcodes cannot be communicated, and the prompt for the Active Directory password takes longer than usual to appear. To prevent this situation, disable, rather than stop, the firewall service on the domain authentication client. If you do not want to shut down the firewall on the client computer, make sure TCP port 2334 is part of the firewall exception list. Although the port may have been added to the list initially, it may have removed itself from the list.

• If you enable cross-domain trust between a protected domain and an unprotected domain, you must assign users different user names for each domain. Otherwise, when the user attempts to authenticate with a Windows password to the unprotected domain, authentication fails.

• In a hierarchical domain environment, you cannot log on to an unprotected parent domain from a protected child domain as an administrator, even when the administrator is not in a challenge group. To facilitate logging on to an unprotected parent domain as an administrator from a protected child domain, you must install and configure the RSA Authentication Agent Domain Server component on the parent domain controller.
  
  

Wireless Authentication

• RSA Security EAP Protected OTP (EAP-32) and RSA Security EAP (EAP 15) are not supported on Microsoft Windows 2000 platforms.
  

• Remote access authentication with wireless PEAP does not support RSA SecurID authenticators set for 180 second intervals.

• When a computer comes out of hibernation during a wireless connection, the connection can be restored immediately, without waiting for the user to authenticate back into the existing Microsoft Windows session. For greater security, disable hibernation on users' computers and instruct users to log off the network before leaving their desks.

• During an initial wireless authentication, the Authentication Agent prompts you for both a user name and an RSA SecurID passcode. However, during subsequent authentications, the Authentication Agent prompts you for only an RSA SecurID passcode and does not allow you to change the user name. If, during a subsequent authentication, you need to provide a different user name, perform one of the following procedures.

  If you are running an active session:

1. Disconnect the wireless service either through the Network Connections list or by right-clicking on the status bar icon and selecting View Available Wireless Networks, selecting the the wireless network you are using, then clicking Disconnect.

   This stops the system from reprompting.

2. Edit the registry to remove the cached EAP information for the authenticating user.

3. Click Start > Settings > Network Connections, and at the Wireless Network Connections dialog box, select your wireless connection and click Connect.

The next RSA Security prompt you see should be a user name dialog box. For more information, see Microsoft Knowledge Base article #823731 "How to remove cached user credentials that are used for PEAP authentication in Windows XP." This information applies to all RSA Security EAP protocols even if PEAP is not used.

If you are not running an active session:

1. When the system prompts you for an RSA SecurID passcode, click Cancel.

This clears the EAP registry data.

2. At the Access Denied message, click OK.

   If the system prompts you again, ignore the prompts until you can perform the next step.

3. Click Start > Settings > Network Connections, and at the Wireless Network Connections dialog box, select your wireless connection and click Disconnect.

   This stops the reprompting.

4. In the Wireless Network Connections dialog box, select your wireless connection and click Connect.

The next RSA Security prompt you see should be a user name dialog box. For more information, see Microsoft Knowledge Base article #823731 "How to remove cached user credentials that are used for PEAP authentication in Windows XP." This information applies to all RSA Security EAP protocols even if PEAP is not used.

• If a user logs on to a local computer with a user name and password that matches domain credentials, then successfully establishes an authenticated wireless PEAP connection, the user gains access to domain resources without having to explicitly authenticate to the domain. This behavior is determined by Microsoft Windows.

Remote Authentication

• After initially installing the local authentication client component on a computer, some Authentication Agent features do not work when you are remotely connected to the network unless you do one of the following:

  • Restart the client computer at least once after performing a test authentication or authenticating online.
  
  
  
  • If you cannot connect to the network directly, do the following:
    1. Log on to the local client computer using a reserve password.
    2. Manually install the node secret from the Authentication Manager.
    3. Connect to the network remotely using a VPN client.
    4. At a command line on the client computer, run sdadmreg -r.
    5. The next time you connect to the network directly, at a command line on the client computer, run sdadmreg -r to update the client IP address in the Authentication Manager database, and restart the client computer.

Offline Authentication

• On some systems, users cannot authenticate offline once the computer has gone into hibernation after being in standby mode. If this occurs, perform the following procedure:

1. Perform a connected authentication to the RSA Authentication Manager.
2. Configure the computer for either Hibernate or Standby for both power connected mode and in battery only mode.

• You can configure RSA Authentication Agent to automatically authenticate users to protected domains after they have authenticated offline. Users can automatically authenticate for as long as the offline session certificate remains valid. By default, session certificates remain valid for 5 minutes. After the system validates the user's offline authentication, it issues the user a new session certificate, also valid for 5 minutes. Therefore, by default, users can access domain resources for up to 10 minutes after an initial offline authentication.
  

• If, during authentication, the system prompts the user to recharge offline days, then notifies the user that the recharge failed, determine whether the user's RSA SecurID token is about to expire. If a user authenticates with an RSA SecurID token that is set to expire before the user's offline days expire, the system prompts the user to recharge offline logon days. However, it is not possible to recharge offline days under this circumstance, and attempts to do so fail.

• If you reset the number of offline days to a number that is less than the number that was previously set (for example, if you change the number of offline days to 5 from 10), offline users continue to have the greater number of offline days (in this example, 10) until those days expire. When offline users recharge their offline days, the RSA Authentication Manager downloads the new number of offline days (in this example, 5).

• Once a user downloads offline days, the user can successfully authenticate offline even after the trust between the domain controller and the RSA Authentication Manager is broken. The authentication events are not recorded on the RSA Authentication Manager.

• If you clear offline data from an Authentication Agent host, but RSA Security Center still shows available offline days, instruct the user to restart RSA Security Center.

• After a user authenticates offline with an emergency access passcode, the user cannot recharge his or her offline days remotely. The user must perform a connected authentication to recharge offline days.

Terminal Services Authentication

For Windows XP platforms, remove your RSA SecurID Authenticator SID800 USB token from your computer before you run a terminal services session to the computer. If you leave the token connected to the computer and then run a terminal services session to the computer, you need to restart the computer before you can log on to it again.

Tracing and Logging

• The first time you use the RSA Security Center to enable tracing and specify a log file as the tracing destination, the system continues to log GINA tracing to the default location, aceclient.log, instead of the specified destination. To solve the problem, restart the computer.

• When you set the tracing destination to Log File, then authenticate remotely using dial-up networking, by default the Authentication Agent creates a tracing log file on the client computer with the incorrect filename AceClient.log. The file should be named AceAgent.log. To apply the correct filename, restart the remote authentication server computer.

RSANetUse

If you use a software token to log on as an alternate user, RSANetUse fails to map drives.

Windows Password Integration

On Local Authentication Client computers, policy settings are updated every two hours. On Domain Authentication Client computers, policy settings are updated every four hours. Therefore, when you enable Windows password integration on a client computer, Windows password integration will not work until the policy has been updated. However, if you cannot wait until the policy is updated automatically, you can force a policy update by restarting the client computer.

Workstation Unlock with RSA SecurID PIN

• Workstation Unlock with RSA SecurID PIN (Quick Workstation Unlock) does not work if you reset your PIN to a character length that is not the same as the former PIN. Although the PIN Unlock screen appears, you are not able to unlock your workstation using your new PIN. If you experience this problem, click Force Logoff, and then unlock the workstation by entering your user name and RSA SecurID passcode.

• On Local Authentication Client computers, if you are in Next Tokencode mode, the Quick Workstation Unlock screen appears, but does not recognize your RSA SecurID PIN. If this situation occurs, click Force Logoff, and then unlock the workstation by entering your user name and RSA SecurID passcode.

Top

Documentation Issues

• You can set up your environment so that authentication works in one of the following ways:
• Authentication occurs on the RSA RADIUS Server or Microsoft IAS Server on
  behalf of network access devices such as a Remote Access Server (RAS), a
  Network Access Server (NAS), or a wireless access point.
• Authentication occurs only on the RSA RADIUS Server or Microsoft IAS Server
  themselves.

The section "Authentication Environment Options" in the RSA SecurID Wireless Authentication Solution Guide says that by default, the environment is configured so that authentication occurs on behalf of network access devices. This is true for RSA RADIUS Server environments. However, for Microsoft IAS RADIUS Server environments, by default, authentication does not occur on behalf of network access devices.

• The RSA Security Center Help topics "Understanding the Windows Logon Settings" and "Disabling Local Access to the Domain Client" incorrectly describe the Disable local users' access to this computer setting. The correct description of this setting is as follows: When you enable this option, only users with domain accounts can access their desktops. This ensures that users cannot use local accounts to gain access when only the domain is protected by RSA SecurID.

Top

Variations from Microsoft Compliance

RSA Authentication Agent 6.1 for Microsoft Windows complies with Microsoft branding requirements with the following exceptions. The titles and title numbers in this section pertain to the Microsoft compliance documentation.

Cross-Platform Certification Requirements

2.5 Install to Program Files by Default

RSA Authentication Agent 6.1 for Microsoft Windows installs the following shared files in SystemFolder:

• sdconf.rec
• sdroot.crt
• aceclnt.dll
• sdmsg.dll
• rsapwdfilt.dll
• sdagentsa.dll
• sdagentsa2k.dll

Installing the files elsewhere makes the Authentication Agent incompatible with legacy RSA Security products that share these files. The Authentication Agent also installs unshared files inherited from previous versions of the Authentication Agent to SystemFolder.

The Authentication Agent installs the following files to WindowsFolder\Help:

• sdcontrl.hlp
• sdcontrl.cnt

S5.4 Install using a Windows Installer-Based Package That Passes Validation Testing

The RSA Authentication Agent installation deviates from certification requirements in the following ways:

• Installation sends duplicate files to the destination area of the .msi file. However, the RSA Authentication Agent requires individual instances of all files regardless of whether they are duplicates.
  

• Installation adds references in the Start menu to components that occur per computer as opposed to per user. This is required because the RSA Authentication Agent can be installed only once on a computer, and all Start menu references must pertain to all users. Therefore, registry key links to these components must originate under HKLM instead of HKCU.
  

Windows 2000 Server Certification Requirements

3.3 Provide Documented Keyboard Access to all Features

RSA Authentication Agent 6.1 for Microsoft Windows documents all assigned navigation keys in the interface with underlines.

Windows Server 2003 Certification Requirements

S2.8 Terminal Server Requirements

The RSA Authentication Agent 6.1 for Microsoft Windows installation modifies a HKEY_CURRENT_USER value. However, the modification results from Microsoft Windows Installer and not from the Authentication Agent software.

3.8 Services Running as LocalSystem Must Not Present a UI

The sdagentsvc service opens the default Microsoft Windows station and desktop. However, it does not present a user interface or accept user input or Windows messages.

Windows XP Certification Requirements

2.6: Install Shared Files to the Correct Locations

RSA Authentication Agent 6.1 for Microsoft Windows does not support the side-by-side shared files requirement because doing so would disable the backward compatibility of legacy Agents. Therefore, the following files are installed under the /program files folder/RSA Security/RSA Authentication Agent directory:

• Da_svc.exe
• Sdagentsvc.exe
• Sdproxysvc.exe
• Securiduser.exe

The following files must remain in the /system32 directory to ensure backward compatibility with legacy agents:

• Aceclnt.dll
• Sdagentsa.dll
• Sdagent2k.dll
• Sdmsg.dll
• Sdconf.rec
• Sdstatus.12 (created at runtime)

2.7 Support Add or Remove Programs Properly

The RSA Authentication Agent 6.1 for Microsoft Windows uninstaller removes all "non-shared" .dll files and services. It also removes all registry keys associated with the Authentication Agent that are not user configuration settings that must be maintained for future installations. The uninstall does not remove the following files:

• Sdconf.rec - a configuration file that must be preserved
• Sdroot.crt - a configuration file that must be preserved
• Aceclnt.dll - a shared file removed only if its shared count is 0
• Sdagentrt.dll - a shared file removed only if its shared count is 0
• Sdmsg.dll - a shared file removed only if its shared count is 0
• Sdstatus.12 - a shared configuration file that is preserved for backward compatibility

3.2 Classify and Store Application Data Correctly

The sdcatool writes to a registry key other than HKCU. However, the sdcatool is designed to affect the system as a whole, and not individual users.

Top

Getting Support and Service

RSA SecurCare Online: https://knowledge.rsasecurity.com

Customer Support Information: www.rsasecurity.com/support

RSA Secured Partner Solutions Directory: www.rsasecured.com

Top

© 2006 RSA Security Inc. All rights reserved.

Trademarks

ACE/Agent, ACE/Server, Because Knowledge is Security, BSAFE, ClearTrust, Confidence Inspired, e-Titlement, IntelliAccess, Keon, RC2, RC4, RC5, RSA, the RSA logo, RSA Secured, the RSA Secured logo, RSA Security, SecurCare, SecurID, SecurWorld, Smart Rules, The Most Trusted Name in e-Security, Transaction Authority, and Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc. in the United States and other countries. All other goods and services mentioned are trademarks of their respective companies.

Top