RSA Authentication Agent 7.4for Microsoft WindowsInstallation and Administration GuideRevision 2
Contact InformationRSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and provides solutionsto known problems, product documentation, community discussions, and case management.TrademarksDell, RSA, the RSA Logo, EMC and other trademarks, are trademarks of Dell Inc. or its subsidiaries. Other trademarks maybe trademarks of their respective owners. For a list of RSA trademarks, go to a.License AgreementThis software and the associated documentation are proprietary and confidential to Dell Inc. or its subsidiaries, are furnishedunder license, and may be used and copied only in accordance with the terms of such license and with the inclusion of thecopyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise madeavailable to any other person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by Dell Inc.Third-Party LicensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable tothird-party software in this product may be viewed on the product documentation page on RSA Link. By using this product, auser of this product agrees to be fully bound by terms of the license agreements.Note on Encryption TechnologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryptiontechnologies, and current use, import, and export regulations should be followed when using, importing or exporting thisproduct.DistributionUse, copying, and distribution of any Dell software described in this publication requires an applicable software license.Dell Inc. believes the information in this publication is accurate as of its publication date. The information is subject tochange without notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONSOR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, ANDSPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE.Copyright 2012-2020 Dell Inc. or its subsidiaries. All Rights Reserved.September 2019Revised: September 2020
RSA Authentication Agent 7.4 Installation and Administration GuideContentsChapter 1: Revision History . 7Preface. 9About This Guide. 9RSA Authentication Agent for Microsoft Windows Documentation . 9Related Documentation. 9Support and Service . 10Before You Call Customer Support. 10Chapter 2: Product Overview .11RSA Authentication Agent for Microsoft Windows.11Key Features . 12Challenge Users for RSA SecurID Passcodes . 12RSA SecurID Authentication without an Authentication Manager Connection . 12Integration of Windows Passwords in the RSA SecurID Logon Process. 13Access to Protected Desktops in Emergency Situations. 13Central Management of Authentication Settings. 14Automatic Update of IP Addresses. 15Access to Protected Computers Using a PIN or Password . 15Multidomain Group Support. 16Options to Customize RSA Authentication Agent . 16Supported Authenticators. 17RSA Control Center . 18RSA Control Center Icons . 20Chapter 3: Preparing for Installation . 21System Requirements. 21Required Ports. 21Supported Operating Systems. 22Supported Third-Party Remote Access Products. 22Supported RSA Authentication Manager Products . 22Supported Third-Party Credential Providers . 22Remote Access Support . 22Preparations to Install Authentication Agent . 23Set Up RSA Authentication Manager. 24Create Groups of Users to Challenge with RSA SecurID . 25Choose Emergency Access Methods . 26Prepare Users for RSA SecurID Authentication. 28Chapter 4: Installing RSA Authentication Agent . 29Installation Methods. 30Single Installations. 30Large-Scale Deployments. 31Import Authentication Manager Files. 31Contents3
RSA Authentication Agent 7.4 Installation and Administration GuideInstallation Considerations. 32Install the Product on a Single Computer . 34Install the Product on Multiple Computers . 36Create an Installation Package . 36Provide Account Control Privileges to User Computers . 39Deploy the Installation Package to Multiple Computers . 40Test the Installation . 41Review the Server Settings . 41Test Authentication. 42Install a Language Pack . 44Use the Node Secret Load Utility . 45Modify an Installation . 46Modify the Installation for a Single Computer. 46Modify the Installation for Multiple Computers. 47Repair an Installation . 48Upgrade to RSA Authentication Agent 7.4 . 48Uninstall the Product. 49Uninstall the Product from a Single Computer. 49Uninstall the Product from Multiple Computers . 50Uninstall the Language Pack . 50Chapter 5: Managing Authentication Agents . 53Offline Authentication . 53Password Changes and Offline Authentication . 54Clock Changes and Offline Authentication . 54Manage Offline Days . 55Refresh Offline Days . 55Check the Supply of Offline Days . 57Clear Offline Data. 58Emergency Access . 58Emergency Access Options . 59Reserve Passwords. 59Set Up Offline Authentication . 60Users Who Work Locally and Remotely . 60Different Remote Users Who Share a Computer. 61Users Who Only Work Remotely . 62Automatic Registration Process . 62Prevent Automated Registration During Specified Events. 63Prevent Automated Registration for Selected Subnets . 64Specify Automated Registration for Selected Subnets . 65Automated Registration and the Node Secret. 65Automated Registration and Offline Authentication . 66Maintain the Primary IP Address of the Authentication Agent Host . 66Multidomain Group Support . 67Automatic Password Synchronization . 694Contents
RSA Authentication Agent 7.4 Installation and Administration GuideStreamlined Authentication for Citrix XenApp and Remote Applications . 69Chapter 6: Troubleshooting . 71Offline Authentication and the Auto-Registration Utility . 71Authentication Issues . 72RSA SecurID 800 Driver Might Not Install Automatically . 72Authentication Fails After Changing the ‘Send Domain and Username Option’ . 72Test Authentication Succeeds, but Actual Authentication Fails. 72Node Verification Fails. 72Correct a Node Verification Failure . 73Enable Tracing . 74Diagnose Authentication Issues . 74Verify the Accuracy of the Computer Clock . 74Verify the System Configuration (sdconf.rec) File . 74Replace the System Configuration (sdconf.rec) File . 75Error and Event Viewer Log Messages . 75Appendix A: Configuring Automatic Load Balancing . 79Automatic Load Balancing . 79Dynamic Load Balancing . 79Manual Load Balancing. 79Manage an sdopts.rec File. 80Create an sdopts.rec File . 80Exclude an Authentication Manager Server During Dynamic Load Balancing. 83Configure Manual Load Balancing. 83Specify Alias IP Addresses for Use or Exclusion. 84Specify an Overriding IP Address . 85Glossary . 87Index . 91Contents5
RSA Authentication Agent 7.4 Installation and Administration GuideRevision HistoryRevisionNumberDateRevision1February 2020Updated the “Supported Authenticators” section to state thatRSA on-demand tokencode requires an active connection toRSA Authentication Manager. Other types of authenticatorssupport offline authentication.2September 2020 Removed references to unsupported versions of Windowsand RSA Authentication Manager.Added the URL for the RSA Link page with the ReleaseNotes for the latest cumulative /securid/authentication-agent-windows.Revision History7
RSA Authentication Agent 7.4 Installation and Administration GuidePrefaceAbout This GuideThis guide describes how to install and configure RSA Authentication Agent 7.4 forMicrosoft Windows . It is intended for administrators and other trusted personnel.Do not make this guide available to the general user population.RSA Authentication Agent for Microsoft Windows DocumentationFor more information about RSA Authentication Agent 7.4, see the followingdocumentation and Help:Release Notes. Provides information about what is new and changed in thisrelease, as well as workarounds for known issues. The latest version of theRelease Notes is available on RSA Link urid/authentication-agent-windows.Group Policy Object Template Guide. Describes how to use Group Policy Objecttemplates to configure RSA Authentication Agent 7.4 for Microsoft Windows.For example, you can use a policy template to define how users authenticate,define challenge groups, and set the logon field label.RSA Authentication Agent Help. Describes user and administration tasksperformed in the RSA Control Center. (The Control Center is the user interface forAuthentication Agent.) For example, it contains procedures for users to refreshoffline days or check their logon options. For administrators, it includesprocedures to test authentication, enable a reserve password, override an IPaddress, enable tracing, challenge users, clear a node secret or offline data, andreview server information.Related DocumentationFor more information about products related to RSA Authentication Agent 7.4, see thefollowing:RSA Authentication Manager documentation set. See the full documentationset for RSA Authentication Manager 8.3 or later on RSA securid/authentication-manager.RSA Ready Partner Program. RSA has worked with a number of manufacturersto qualify software that works with RSA products. Qualified third-party productsinclude virtual private network (VPN) and remote access servers (RAS), routers,web servers, and many more. To access the directory, including implementationguides and other information, go to http://www.rsaready.com.Preface9
RSA Authentication Agent 7.4 Installation and Administration GuideSupport and ServiceYou can access community and support information on RSA Link athttps://community.rsa.com. RSA Link contains a knowledgebase that answerscommon questions and provides solutions to known problems, productdocumentation, community discussions, and case management.The RSA Ready Partner Program website at www.rsaready.com providesinformation about third-party hardware and software products that have been certifiedto work with RSA products. The website includes Implementation Guides withstep-by-step instructions and other information on how RSA products work withthird-party products.Before You Call Customer SupportMake sure that you have direct access to the computer running theRSA Authentication Agent 7.4 for Microsoft Windows software.Please have the following information available when you call: Your RSA Customer/License ID. RSA Authentication Agent 7.4 is free tocustomers. Use the RSA Authentication Manager software version number asyour Customer/License ID. To find this number, do the following:In the RSA Security Console, click Help About RSA Security Console SeeSoftware Version Information. The make and model of the machine where the problem occurs. The name and version of the operating system where the problem occurs.10Preface
RSA Authentication Agent 7.4 Installation and Administration Guide1Product Overview RSA Authentication Agent for Microsoft Windows Key Features Supported Authenticators RSA Control CenterRSA Authentication Agent for Microsoft WindowsRSA Authentication Agent for Microsoft Windows works withRSA Authentication Manager to allow users to perform two-factor authenticationwhen accessing Windows computers. Two-factor authentication requires somethingyou know (for example, an RSA SecurID PIN) and something you have (forexample, a tokencode generated by an RSA SecurID authenticator).If you require a user to log on through Authentication Agent, the user may need toenter a passcode to access the computer. A passcode is an RSA SecurID PIN followedby a tokencode.The first time users authenticate using an RSA SecurID passcode, they are promptedto automatically generate or manually create their RSA SecurID PINs. To enter thetokencode portion of the passcode, they can look at the numbers that appear on thefront of their RSA SecurID authenticators and manually enter them next to their PINs(if using a handheld authenticator). Or, if they use USB RSA SecurID authenticatorsand they insert them into their USB ports, Authentication Agent automaticallyaccesses the tokencodes from the authenticators after they enter their PINs.To ensure they use a One-Time Passcode (OTP) for each authentication, the tokencodechanges to a unique set of numbers approximately every minute. This helps prevent anunauthorized user from guessing a passcode—even if that person knows the PIN.Note: Depending on the Authentication Manager settings, RSA SecurID users canalso log on by entering just their tokencodes.When a user enters a passcode, Authentication Agent sends the passcode toAuthentication Manager for validation. If the passcode and password are correct, theuser gains access to the desktop. For information on requirements, see Chapter 2,“Preparing for Installation.” For installation information, see Chapter 3, “InstallingRSA Authentication Agent.”1: Product Overview11
RSA Authentication Agent 7.4 Installation and Administration GuideKey FeaturesThe following sections summarize the key features of RSA Authentication Agent 7.4for Microsoft Windows. They include information about: Users to challenge for a passcode Offline authentication Integration of Windows password Exempt administrator account Central management of Authentication Agent policies using the Group PolicyObject (GPO) templates Automatic update of IP addresses Access to protected computers using a PIN or password Multidomain group supportChallenge Users for RSA SecurID PasscodesYou can configure RSA Authentication Agent 7.4 for Microsoft Windows tochallenge all users or only specific groups of users for an RSA SecurID passcode (PINand tokencode). You select the user groups to challenge from a list that you alreadydefined through the Microsoft Computer Management interface or in ActiveDirectory. If necessary, create new groups before using Authentication Agent. Formore information about creating challenge groups, see “Create Groups of Users toChallenge with RSA SecurID” on page 25.You can also configure challenge settings for an individual computer from theRSA Control Center user interface. For more information, see the RSA Control CenterHelp topic Challenge Users. Note that if the computer is joined to a domain, settingsconfigured by Group Policy override settings from the RSA Control Center.RSA SecurID Authentication without an Authentication Manager ConnectionYou can configure RSA Authentication Agent for Microsoft Windows to extend RSASecurID authentication to users when the connection to RSA Authentication Manageris not available (for example, when users work away from the office, or when networkconditions make the connection temporarily unavailable). For more information, seeChapter 4, “Managing Authentication Agents.”121: Product Overview
RSA Authentication Agent 7.4 Installation and Administration GuideIntegration of Windows Passwords in the RSA SecurID Logon ProcessYou can configure RSA Authentication Agent for Microsoft Windows so that theWindows password is integrated into the RSA SecurID logon process. When youconfigure Authentication Agent in this way, users provide their Windows passwordsonly during their initial online authentication. At this time, the passwords are storedwith users’ authentication data in the RSA Authentication Manager database and, foroffline authentication, in the offline data. During subsequent authentications, usersenter only their user names and RSA SecurID passcodes until the password is changedin the Active Directory. Authentication Agent gets the Windows password fromAuthentication Manager and passes it to the RSA Authentication Agent CredentialProvider. The RSA Authentication Agent functions as a logon interface for end users.When Microsoft Windows passwords are changed by users who have AuthenticationAgent installed on their computers, passwords are automatically synchronized incorresponding accounts in the RSA Authentication Manager database. For moreinformation, see “Automatic Password Synchronization” on page 69.Important: If users have more than one domain and user name, your AuthenticationManager administrator must add the different accounts in Authentication Manager. Ifthe additional accounts do not exist in Authentication Manager, users cannot log onusing RSA SecurID authentication. For more information, see the Group PolicyObject Template Guide.You can enable Windows password integration system-wide, on an individual Agentbasis, or by groups. For example, to enable Authentication Agent, you create an Agentrecord in the RSA Authentication Manager database. You can enable Windowspassword integration for all of the Authentication Agent computers in the database orselect certain computers. For more information about RSA Authentication Manager,see the RSA Authentication Manager Administrator’s Guide.Note: The Windows password integration feature also requires that the offlineauthentication feature be enabled on both the Agent and the server. If you are usingWindows password integration, do not disable offline authentication.Access to Protected Desktops in Emergency SituationsThe exempt administrator account is an emergency access method that enables you toauthenticate to a protected desktop by using your administrator account with only aWindows password instead of an RSA SecurID passcode.When you install RSA Authentication Agent 7.4 for Microsoft Windows, theinstallation wizard prompts you to select a challenge option. If you select Challengeall users except administrators, Authentication Agent challenges all users who logon to the computer for RSA SecurID credentials (PIN and tokencode), but it does notchallenge any users who belong to the administrator group.1: Product Overview13
RSA Authentication Agent 7.4 Installation and Administration GuideIf you decide not to exempt the users in the administrator group during installation orwhen you first use the configuration wizard to create an installation package, you canset that option later. For example, you can reconfigure your settings using theAuthentication Agent configuration wizard to create another installation package anddeploy it. Or, you could make changes by changing the policy in the Group PolicyObject template. For more information, see the Group Policy Object Template Guide.For a list of other emergency access methods, see “Choose Emergency AccessMethods” on page 26.Central Management of Authentication SettingsTo manage RSA Authentication Agent 7.4 for Microsoft Windows, you can use GroupPolicy Object templates to make changes to the Authentication Agent policies andapply those policies to the appropriate computers. You load the templates into theMicrosoft Group Policy Management Console (GPMC) tool on your domaincontroller and specify policies within the templates. The policies are automaticallydownloaded by client computers within the domain.Note: For computers you intend to protect with Authentication Agent that are not partof your domain or subject to Group Policy, you must install the templates on thosecomputers and specify the template settings with the Local Group Policy Editor. Seethe Group Policy Object Template Guide for more information.Before users start using Authentication Agent, you can define particular settings totailor the product to your needs. RSA Authentication Agent comes with the followingGroup Policy Object (GPO) templates: RSA Authentication Agent (installed by default) RSA Authentication Agent Password Synchronization RSA SecurID Expiration Warning (installed by default) RSACredProviderFilter Microsoft (installed by default) RSACredProviderFilter SecurID (installed by default) RSACredProviderFilter SmartCard (installed by default) RSACredProviderFilter ThirdParty (installed by default) RSADesktop VerifyRSAComponents RSADesktop PreserveFailedAuthHistoryEach template is provided in .adm and .admx/.adml formats. The .admx/.admlformat is required when importing files to the global policy Central Store.If you want to restrict logon options for Authentication Agent users, you must install andconfigure one or more of the Credential Provider Filter policy templates. A CredentialProvider filter allows you to hide the logon tile presented by a Credential Provider.141: Product Overview
RSA Authentication Agent 7.4 Installation and Administration GuideYou can use the following filters:GPO Template FilenameDescriptionRSACredProviderFilter MicrosoftFilters the Microsoft Credential Provider.RSACredProviderFilter SmartCardFilters the RSA Smart Card Credential Provider.RSACredProviderFilter ThirdPartyFilters all third-party Credential Providers.RSACredProviderFilter SecurIDFilters the RSA SecurID Credential Provider.For more information about third-party options, see “Supported Third-PartyCredential Providers” on page 22. For more information about how to use thetemplates, see the Group Policy Object Template Guide.Automatic Update of IP AddressesThe IP address of an Authentication Agent client computer allowsAuthentication Manager to identify the computer during authentication. If you installthe Auto-Registration utility when you install Authentication Agent, the utilityautomatically adds the agent to the Authentication Manager database the first time youlog on to the computer using RSA Secu
RSA Authentication Agent for Microsoft Windows RSA Authentication Agent for Mi crosoft Windows works with RSA Authentication Manager to allow users to perform two-factor authentication when accessing Windows computers. Two-factor authentication requires something you know (for example, an RSA SecurID PIN) and something you have (for
RSA Authentication Agent 7.3.3 for Microsoft Windows . It is intended for administrators and other trusted personnel. Do not make this guide available to the general user population. RSA Authentication Agent GPO Template Documentation For more information about RSA Authentication Agent for Microsoft Windows, see the following documentation:
RSA Authentication Agent 7.0 for Windows Installation and Administration Guide 8 Preface Related Documentation For more information about th e products related to RSA Authentication Agent 7.0 for Microsoft Windows, see the following: RSA Authentication Manager documentation set. The full documentation set for
- RSA Archer eGRC Suite: Out-of-the-box GRC solutions for integrated policy, risk, compliance, enterprise, incident, vendor, threat, business continuity and audit management - RSA Policy Workflow Manager: RSA Data Loss Prevention and RSA Archer eGRC Platform - RSA Risk Remediation Manager: RSA Data Loss Prevention and RSA Archer
RSA SecurID for Windows logon BlackBerry software token Site-to-user authentication SAML 2.0 co-authors 2001 - 2002: SMS authentication Palm Pilot software token Windows Mobile software token 1986: Time-synchronous OTP (RSA SecurID) 1977: RSA Algorithm RSA Identity Assurance Apple Face ID Apple Watch 2015: 1996: RSA SecurID software token 2006 .
Each RSA number is a semiprime. (A nu mber is semiprime if it is the product of tw o primes.) There are two labeling schemes. by the number of decimal digits: RSA-100, . RSA Numbers x x., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 151024 36, 2048.
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
Marten van Dijk RSA Laboratories Cambridge MA marten.vandijk@rsa.com Ari Juels RSA Laboratories Cambridge MA ari.juels@rsa.com Alina Oprea RSA Laboratories Cambridge MA alina.oprea@rsa.com Ronald L. Rivest MIT Cambridge MA rivest@mit.edu Emil Stefanov UC Berkeley Berkeley CA emil@berke
par catégorie alimentaire. A partir des informations disponibles dans les listes d’ingrédients, il est parfois délicat pour un même libellé d’ingrédient de différencier son utilisation en tant qu’additif ou en tant que substance à usage d’enrichissement (exemple : acide ascorbique). Pour ce rapport et pour ces substances, il a été décidé, par convention (choisie), de .