Readme
RSA Authentication Agent 6.1.1 for Microsoft Windows

July 7, 2006

 

Introduction

This document lists late-breaking information for RSA Authentication Agent 6.1 for Microsoft Windows. Read this document before installing the software. This document contains the following sections:

This Readme may be updated. The most current version can be found on RSA SecurCare Online https://knowledge.rsasecurity.com. To print this Readme, click here.


Product Documentation

RSA Authentication Agent 6.1 for Microsoft Windows includes the following documentation:

The following documents have been updated for the 6.1.1 product release:

The RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide has been updated as follows:

The RSA SecurID for Microsoft Windows Planning Guide 1.1 has been updated as follows:

The RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide and the RSA SecurID for Microsoft Windows Planning Guide 1.1 have not been reversioned for this release. However, the front matter of the RSA Authentication Agent 6.1 for Microsoft Windows Installation and Administration Guide and the RSA SecurID for Microsoft Windows Planning Guide 1.1 lists two dates of printing - the date the books were printed for the original 6.1 product release, and the date the updated books were printed for the 6.1.1 product release.

The RSA Authentication Agent for Microsoft Windows 6.1 Readme has been reversioned to RSA Authentication Agent for Microsoft Windows 6.1.1 Readme.

You can access the Installation and Administration Guide, the Planning Guide, and the Readme directly from the RSA Authentication Agent 6.1.1 for Microsoft Windows downloadable .zip file (this patch). However, you can access the Help only by installing RSA Authentication Agent 6.1.1 for Microsoft Windows.

Top


Required Service Packs and Fixes

Top


Patch Installation and Information

Installing the Patch

To install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch (authagt_win_6.1.1.exe), you must be running RSA Authentication Agent 6.1 for Microsoft Windows. Install this patch ONLY on build 297 of this software. If you are not running build 297, contact RSA Security Customer Support. To verify the version number, do the following:

  1. Log on to the RSA Authentication Agent host computer as an administrator.
  2. Click Start > Programs > RSA Security > RSA Security Center.
  3. Click Help > About RSA Security Center.

Important: You must install RSA Authentication Manager 6.1 for Microsoft Windows before you install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch.

Installing the RSA Authentication Agent 6.1.1 for Microsoft Windows Patch

You can install this patch manually on each computer running RSA Authentication Agent 6.1 for Microsoft Windows, or you
can perform a network installation. There are two types of network installations. You can perform a network installation that automatically restarts all of the computers running the Authentication Agent. Alternatively, you can perform a network installation that does not automatically restart all of the computers running the Authentication Agent.

Important: After installing the Authentication Agent 6.1.1 patch, you cannot log on to a client computer until you restart the computer. If you perform a network installation that does not automatically restart all of the computer running the Authentication Agent, you must restart the computers manually.

To install the RSA Authentication Agent 6.1.1 for Microsoft Windows patch manually:

  1. Double-click authagt_win_6.1.1.exe.
  2. Follow the prompts to complete the installation.
  3. Restart the computer.

To perform a network installation that restarts the Authentication Agent computers automatically:

Important: Before you perform the installation, all domain client computers must be running.

To perform a network installation, you must use Microsoft System Management Server (SMS). In your SMS environment, type the following command:

authagt_win_6.1.1.exe /s /v"/qn REINSTALL=ALL REINSTALLMODE=omus"

To perform a network installation that does not restart the Authentication Agent computers:

Important: Before you perform the installation, all domain client computers must be running.

To perform a network installation, you must use Microsoft System Management Server (SMS). In your SMS environment, type the following command:

authagt_win_6.1.1.exe /s /v"/qn REBOOT=ReallySuppress REINSTALL=ALL REINSTALLMODE=omus"

Important: You must disable the offline authentication feature on the Primary Authentication Manager immediately after you install this patch. Offline authentication must remain disabled for a minimum of 12 hours. Doing this enables domain client computers to receive updated offline data.

To disable offline authentication:

  1. On the Primary Authentication Manager, on the System menu, click System Configuration > Edit Offline Auth Config....
  2. In the Edit Offline Authentication dialog box, clear Enable Offline Authentication at System Level.
  3. Click OK.

Top


Resolved Issues

The RSA Authentication Agent 6.1.1 for Microsoft Windows patch resolves the following issues:

Tracking number: 25406
The patch enables the Local Authentication Client component to read passcodes from SID800 tokens when using the Offline Days Status screen to recharge the supply of offline days.

Tracking number: 25200 and 21153
The ability to invoke RSA Security EAP and RSA Security Protected OTP authentication from the Desktop Logon dialog using Log on using dial-up connection does not work. The patch fixes this problem so that both RSA Security EAP methods are supported for remote dial-up or VPN access.

Tracking number: 24374
The RSA Authentication Agent EAP client component uses the Microsoft Windows EAP system to save user information between authentications. Without the patch, saved information from failed and cancelled authentication attempts is not cleared, and the Authentication Agent does not prompt the user to authenticate with a different user name.

Tracking number: 24199
Without the patch, clicking Clear Offline Days in the RSA Security Center more than once causes an error that prevents the download of offline days until the RSA Security Center is closed.

Tracking number: 24188
Without the patch, when the offline authentication feature is disabled, the Pin Unlock feature prompts users for RSA SecurID passcodes instead of only their PINs.

Tracking number: 23802
The patch fixes a problem that can prevent users from logging on to their Microsoft Windows desktops. Without the patch, the workaround to the problem is to restart the desktop computer or restart the domain controller.

Tracking number: 23586
Without the patch, when both the Domain Authentication Client component and Local Authentication Client component are installed on the same computer, the PIN unlock option does not work for the Local Authentication Client computer.

Tracking number: 23579
The patch fixes a security vulnerability in which desktops protected with RSA Authentication Agent 6.1 for Microsoft Windows can be accessed by a second user with a valid userID after the first user has locked the desktop. The vulnerablility allows an unauthorized user to unlock an authenticated user’s desktop.

Tracking number: 18197
In RSA Authentication Agent 6.1 for Microsoft Windows, you cannot authenticate from a computer running both the Agent Domain Authentication Client component and the Agent Domain Server component when the Authentication Manager is unavailable, even if up-to-date offline data for your account exists. However, you can use your offline data to authenticate from computers running only the Agent Domain Client component. After you install the patch, when the RSA Authentication Manager is offline, you can successfully authenticate using offline data stored on the domain controller.

Tracking number:19975
In RSA Authentication Agent 6.1 for Windows, you cannot authenticate offline to a system that is suspended due to low battery power. This problem occurs because of a misinterpretation of the change in system time associated with the forced suspension. After you install the patch, the Agent recognizes the suspension of the system and correctly handles the time change at restart.

Tracking number: 21693
Without the patch, when you use RSA Security EAP with PEAP, the RSA Security EAP component inapproprietly attempts to validate the NAS IP address. Since this address is not provided during a PEAP authentication, the authentication fails.

Tracking number: 20546
Certain Windows applications repeatedly attempt to authenticate users even after the user receives an "Access Denied" message from the Agent authentication process. As a result, users are locked out of their Windows accounts. The lock-out occurs because of the return code that the sub authentication process passes back to Windows. In the patch, the return code has been changed from an authentication failure to an authorization failure code. The patch fixes all known Windows account locking issues.

Tracking number: 22190
Without the patch, alphanumeric PINs containing capital letters do not work with RSA Security Protected OTP. This happens because the RSA Security Protected OTP client does not correctly convert them to lowercase. Since the server treats all PINs as lowercase, all authentication attempts using PINs with capital letters fail. With the patch, the RSA Security Protected OTP client correctly converts all input to lowercase before transmitting it to the Authentication Manager.

Tracking number: 21522
Without the patch, for some users, the Offline Days Status screen in the RSA Security Center does not open when users right-click the RSA Security Center icon in the notification area of the Windows taskbar, then click View Offline Days.

Tracking number: 22390
Without the patch, the Never expire option for session certificates in the RSA Security Center does not work properly.

Tracking number: 22135
Without the patch, uninstalling the Agent Remote Authentication Server component leaves the Windows RRAS service unable to start. In the patch, the registry setting that causes this problem has been removed.

Tracking number: 21693
The patch fixes an intermittent failure that occurs when RSA Security EAP is used with PEAP and RADIUS Client Check.

Tracking number: 22184
Without the patch, under certain circumstances, when the Windows Agent clock is tampered with, offline
authentication fails.

Tracking number: 22454
Without the patch, when you use RSA Security Protected OTP, users are always allowed to select a system-generated PIN, even if the policy controlling this option is turned off.

Tracking number: 22460
Without the patch, when the Authentication Manager rejects a user's PIN, the RSA Security Protected OTP client does not allow the user another opportunity to enter a valid PIN. With the patch, the Authentication Manager prompts the user up to three times for a valid PIN.

Tracking number: 19977
With the patch, the RSA Security Protected OTP client is more specific in the error messages it logs.

Tracking number: 22516
Without the patch, RSANetUse does not correctly map a shared drive whose name contains spaces.

Tracking number: 20475
Without the patch, the SDEAP module occasionally spawns multiple authentication windows.

Tracking number: 20190
The patch fixes a typographical error in the RSA Security Center.

Tracking number: 22995
With the patch, the legal notice page always appears before logon, and properly displays the legal notice.

Tracking number: 23151
The patch fixes a compatibility issue with Citrix in which credentials are not properly auto-submitted.

File Updates

The following files are updated when you install this patch:

\windows\System32

\Program Files\RSA Security\RSA Authentication Agent\

\Program Files\Common Files\RSA Shared\

commonlogevents.dll

\Program Files\Common Files\RSA Shared\RSA Security Center

\Program Files\Common Files\RSA Shared\Authentication Framework\

\Program Files\Common Files\RSA Shared\BackendUI\

Known Issues

Interoperability

Installation

Configuration

Authentication

General Authentication

Authentication Using the RSA SecurID Authenticator SID800 USB Token

Domain Authentication

Wireless Authentication

The next RSA Security prompt you see should be a user name dialog box. For more information, see Microsoft Knowledge Base article #823731 "How to remove cached user credentials that are used for PEAP authentication in Windows XP." This information applies to all RSA Security EAP protocols even if PEAP is not used.

If you are not running an active session:

The next RSA Security prompt you see should be a user name dialog box. For more information, see Microsoft Knowledge Base article #823731 "How to remove cached user credentials that are used for PEAP authentication in Windows XP." This information applies to all RSA Security EAP protocols even if PEAP is not used.

Remote Authentication

Offline Authentication

Terminal Services Authentication

For Windows XP platforms, remove your RSA SecurID Authenticator SID800 USB token from your computer before you run a terminal services session to the computer. If you leave the token connected to the computer and then run a terminal services session to the computer, you need to restart the computer before you can log on to it again.

Tracing and Logging

RSANetUse

If you use a software token to log on as an alternate user, RSANetUse fails to map drives.

Windows Password Integration

On Local Authentication Client computers, policy settings are updated every two hours. On Domain Authentication Client computers, policy settings are updated every four hours. Therefore, when you enable Windows password integration on a client computer, Windows password integration will not work until the policy has been updated. However, if you cannot wait until the policy is updated automatically, you can force a policy update by restarting the client computer.

Workstation Unlock with RSA SecurID PIN

Top

Documentation Issues

The section "Authentication Environment Options" in the RSA SecurID Wireless Authentication Solution Guide says that by default, the environment is configured so that authentication occurs on behalf of network access devices. This is true for RSA RADIUS Server environments. However, for Microsoft IAS RADIUS Server environments, by default, authentication does not occur on behalf of network access devices.

Top


Variations from Microsoft Compliance

RSA Authentication Agent 6.1 for Microsoft Windows complies with Microsoft branding requirements with the following exceptions. The titles and title numbers in this section pertain to the Microsoft compliance documentation.

Cross-Platform Certification Requirements

2.5 Install to Program Files by Default

RSA Authentication Agent 6.1 for Microsoft Windows installs the following shared files in SystemFolder:

Installing the files elsewhere makes the Authentication Agent incompatible with legacy RSA Security products that share these files. The Authentication Agent also installs unshared files inherited from previous versions of the Authentication Agent to SystemFolder.

The Authentication Agent installs the following files to WindowsFolder\Help:

S5.4 Install using a Windows Installer-Based Package That Passes Validation Testing

The RSA Authentication Agent installation deviates from certification requirements in the following ways:

Windows 2000 Server Certification Requirements

3.3 Provide Documented Keyboard Access to all Features

RSA Authentication Agent 6.1 for Microsoft Windows documents all assigned navigation keys in the interface with underlines.

Windows Server 2003 Certification Requirements

S2.8 Terminal Server Requirements

The RSA Authentication Agent 6.1 for Microsoft Windows installation modifies a HKEY_CURRENT_USER value. However, the modification results from Microsoft Windows Installer and not from the Authentication Agent software.

3.8 Services Running as LocalSystem Must Not Present a UI

The sdagentsvc service opens the default Microsoft Windows station and desktop. However, it does not present a user interface or accept user input or Windows messages.

Windows XP Certification Requirements

2.6: Install Shared Files to the Correct Locations

RSA Authentication Agent 6.1 for Microsoft Windows does not support the side-by-side shared files requirement because doing so would disable the backward compatibility of legacy Agents. Therefore, the following files are installed under the /program files folder/RSA Security/RSA Authentication Agent directory:

The following files must remain in the /system32 directory to ensure backward compatibility with legacy agents:

2.7 Support Add or Remove Programs Properly

The RSA Authentication Agent 6.1 for Microsoft Windows uninstaller removes all "non-shared" .dll files and services. It also removes all registry keys associated with the Authentication Agent that are not user configuration settings that must be maintained for future installations. The uninstall does not remove the following files:

3.2 Classify and Store Application Data Correctly

The sdcatool writes to a registry key other than HKCU. However, the sdcatool is designed to affect the system as a whole, and not individual users.

Top


Getting Support and Service

RSA SecurCare Online: https://knowledge.rsasecurity.com

Customer Support Information: www.rsasecurity.com/support

RSA Secured Partner Solutions Directory: www.rsasecured.com

Top


© 2006 RSA Security Inc. All rights reserved.

Trademarks

ACE/Agent, ACE/Server, Because Knowledge is Security, BSAFE, ClearTrust, Confidence Inspired, e-Titlement, IntelliAccess, Keon, RC2, RC4, RC5, RSA, the RSA logo, RSA Secured, the RSA Secured logo, RSA Security, SecurCare, SecurID, SecurWorld, Smart Rules, The Most Trusted Name in e-Security, Transaction Authority, and Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc. in the United States and other countries. All other goods and services mentioned are trademarks of their respective companies.

Top