RSA Authentication Agent 7.0 For Microsoft Windows Installation And .

1y ago
18 Views
1 Downloads
701.17 KB
87 Pages
Last View : 7d ago
Last Download : 9m ago
Upload by : Aliana Wahl
Transcription

RSA Authentication Agent 7.0 for Microsoft Windows Installation and Administration Guide

Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. License agreement This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Limit distribution of this document to trusted personnel. 2008 RSA Security Inc. All rights reserved. First printing: March 2008

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Contents Preface. 7 About This Guide. 7 RSA Authentication Agent 7.0 for Microsoft Windows Documentation . 7 Related Documentation. 8 Getting Support and Service . 8 Before You Call Customer Support. 8 Chapter 1: Product Overview . 9 RSA Authentication Agent for Microsoft Windows. 9 Key Benefits. 9 Options for Challenging Users for RSA SecurID Passcodes . 10 RSA SecurID Authentication Without a Connection to Authentication Manager . 10 Integration of Windows Passwords into the RSA SecurID Logon Process . 10 Access to Protected Desktops in Emergency Situations.11 Automatic Synchronization of Passwords .11 Central Management of Authentication Settings. 12 Automatic Update of IP Addresses. 13 Access to Protected Workstations Using Only a PIN. 13 Options for Customizing RSA Authentication Agent . 14 Chapter 2: Understanding Requirements. 17 Supported Operating Systems. 17 Supported RSA Authentication Manager Products . 17 System Requirements. 18 Preparing to Install and Configure Authentication Agent . 19 Set Up RSA Authentication Manager. 19 Create Groups of Users to Challenge with RSA SecurID . 20 Choose Emergency Access Methods . 21 Prepare Users for RSA SecurID Authentication. 23 Chapter 3: Installing RSA Authentication Agent for Microsoft Windows . 25 Choosing an Installation Method . 26 Importing Authentication Manager Files. 27 Understanding Installation Issues . 27 Upgrading to RSA Authentication Agent 7.0 for Microsoft Windows . 29 Installing Authentication Agent on a Single Computer . 29 Installing Authentication Agent on Multiple Computers. 31 Using the Authentication Agent Configuration Wizard . 32 Providing Account Control Privileges to User Computers. 35 Deploying the Installation Package to Multiple Computers . 36 Installing a Language Pack . 37 Using the Node Secret Load Utility . 38 Contents 3

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Testing the Installation. 39 Verify the Status of the Authentication Environment . 39 Testing Authentication. 40 Changing the Settings After Installation. 42 Chapter 4: Understanding Offline Authentication . 45 Offline Authentication Overview. 45 How Password Changes Affect Offline Authentication . 46 How Clock Changes Affect Offline Authentication. 46 Managing Offline Days. 46 Recharging Offline Days . 46 Checking the Supply of Offline Days. 48 Emergency Access . 48 Setting Up Offline Authentication for Remote Users. 49 Setting Up Offline Authentication for Users Who Work Locally and Remotely. 49 Setting Up Offline Authentication for a Shared Computer Used Remotely. 50 Setting Up Offline Authentication for Users Who Only Work Remotely. 50 Chapter 5: Understanding the Automatic Registration Process . 53 Overview of the Automatic Registration Process . 53 Preventing Automated Registration During Specified Events. 54 Understanding How Automated Registration Affects the Node Secret. 55 Understanding how Automated Registration Behaves During Offline Authentication. 55 Maintaining the Primary IP Address of the Authentication Agent Host . 56 Chapter 6: Troubleshooting . 57 Offline Authentication and the Auto-Registration Utility . 57 Authentication Issues . 58 Users Receive Error Messages During Authentication . 58 Test Authentication Succeeds, but Actual Authentication Fails. 58 Node Verification Fails. 58 Diagnosing Authentication Issues. 59 Verify the Accuracy of the Computer Clock . 59 Verify the System Configuration (sdconf.rec) File . 60 Troubleshooting Issues with Microsoft Windows . 60 Error and Event Viewer Log Messages . 61 Chapter 7: Uninstalling, Modifying, or Repairing Authentication Agent . 71 Uninstalling Authentication Agent . 71 Uninstalling Authentication Agent from a Single Computer . 72 Uninstalling Authentication Agent from Multiple Computers . 72 Uninstalling a Language Pack. 73 Modifying an Installation. 74 Modifying the Installation for a Single Computer. 74 Modifying the Installation for Multiple Computers . 75 4 Contents

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Repairing an Installation . 75 Appendix A: Configuring Automatic Load Balancing . 77 Overview of Automatic Load Balancing . 77 Dynamic Load Balancing . 77 Manual Load Balancing. 77 Creating and Using an sdopts.rec File . 78 Creating an sdopts.rec File. 78 Excluding an Authentication Manager Server During Dynamic Load Balancing . 81 Configuring Manual Load Balancing . 81 Specifying Alias IP Addresses for Use or Exclusion . 82 Specifying an Overriding IP Address . 83 Chapter 8: Index . 85 Contents 5

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Preface About This Guide This guide provides instructions for installing and configuring RSA Authentication Agent 7.0 for Microsoft Windows. When combined with RSA Authentication Manager 6.1 with Patch 2, RSA Authentication Agent 7.0 for Microsoft Windows enhances native Windows security with the strong, two-factor authentication of time-based RSA SecurID tokens. This guide is intended for administrators and other trusted personnel. For security reasons, do not make this guide available to the general user population. RSA Authentication Agent 7.0 for Microsoft Windows Documentation For more information about RSA Authentication Agent 7.0 for Microsoft Windows, see the following documentation and Help: Release Notes. Provides information about new and changed features in this release, as well as workarounds for known issues. The latest version of the Release Notes is available from RSA SecurCare Online: https://knowledge.rsasecurity.com. RSA Security Center Help. Describes the user options available in the RSA Security Center (the user interface of RSA Authentication Agent). All of the user options appear in the Home tab. To view the Help, click Help from the RSA Security Center menu or any dialog box. RSA Security Center Administrator Help. Describes the configuration options available to administrators in the RSA Security Center (the user interface of RSA Authentication Agent). All of the administrator options appear in the Configuration tab. Any changes made through the Security Center only affect the local computer. To view the Help, click Help from the RSA Security Center menu or any dialog box. Using RSA Group Policy Object Templates with RSA Authentication Agent 7.0 for Microsoft Windows. Describes how to use Group Policy Object templates to manage RSA Authentication Agent 7.0 for Microsoft Windows after you install the product. For example, you can use the policy templates to make configuration changes and apply the settings to numerous computers. The templates and documentation do not automatically come with the product. To get the Group Policy Object templates and the Using RSA Group Policy Object Templates with RSA Authentication Agent 7.0 for Microsoft Windows guide, go to the Authentication Agent product page on the RSA web site (www.rsa.com) and see the download page. (Go to the RSA Authentication Agent Try/Evaluate page and click Downloads from the bottom of the page.) Preface 7

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Related Documentation For more information about the products related to RSA Authentication Agent 7.0 for Microsoft Windows, see the following: RSA Authentication Manager documentation set. The full documentation set for RSA Authentication Manager 6.1 (with the RSA Authentication Manager 6.1.2 Readme). To access a documentation set, go to http://knowledge.rsasecurity.com. RSA Secured Partner Solutions directory. RSA has worked with a number of manufacturers to qualify software that works with RSA products. Qualified third-party products include virtual private network (VPN) and remote access servers (RAS), routers, web servers, and many more. To access the directory, including implementation guides and other information, go to http://www.rsasecured.com. Getting Support and Service RSA SecurCare Online https://knowledge.rsasecurity.com Customer Support Information www.rsa.com/support RSA Secured Partner Solutions Directory www.rsasecured.com RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about using RSA products with these third-party products. Before You Call Customer Support Make sure that you have direct access to the computer running the RSA Authentication Agent 7.0 for Microsoft Windows software. Please have the following information available when you call: Your RSA Customer/License ID for Authentication Manager. RSA Authentication Agent for Microsoft Windows software version number. The make and model of the computer. The name and version of the operating system. 8 Preface

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide 1 Product Overview This chapter describes the purpose of RSA Authentication Agent for Microsoft Windows and its key benefits. RSA Authentication Agent for Microsoft Windows RSA Authentication Agent for Microsoft Windows, coupled with RSA Authentication Manager, uses two-factor authentication to protect access to computers with a Windows Vista operating system. Two-factor authentication requires something you know (for example, an RSA SecurID PIN) and something you have (for example, a tokencode generated by an RSA SecurID token). Note: You must use a hand-held RSA SecurID token with RSA Authentication Agent. For example, you cannot use a software token on your computer or a SecurID token connected to the USB port. But, you can use Authentication Agent with a software token installed on a portable device, for example, a Blackberry. For more information on software tokens, see the RSA documentation that came with your software token. If you require a user to log on through Authentication Agent, the user may need to enter an RSA SecurID PIN followed by a tokencode to access the computer. The SecurID PIN and tokencode are known as the passcode. The first time users authenticate using SecurID, they create their SecurID PINs (automatically or manually). The tokencode appears as numbers on the front of a handheld SecurID token. The numbers change approximately every minute. (Depending on the settings in Authentication Manager, SecurID users can also log on by entering just their tokencodes or their Windows passwords.) When a user enters a passcode, Authentication Agent sends the passcode to Authentication Manager for validation. If the passcode is correct, the user gains access to the desktop. For information on requirements, see Chapter 2, “Understanding Requirements.” For installation information, see Chapter 3, “Installing RSA Authentication Agent for Microsoft Windows.” Key Benefits The following sections summarize the key features of RSA Authentication Agent for Microsoft Windows. It includes overview information on how to challenge users, authenticate offline, integrate Windows password, use emergency access, and synchronize passwords. 1: Product Overview 9

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Options for Challenging Users for RSA SecurID Passcodes You can configure RSA Authentication Agent for Microsoft Windows to challenge all users or only specific groups of users for an RSA SecurID passcode (PIN and tokencode). You select the user groups to challenge from a list that you already defined through the Microsoft Computer Management interface. If necessary, create new groups before using Authentication Agent. For more information about creating challenge groups, see “Create Groups of Users to Challenge with RSA SecurID” on page 20. RSA SecurID Authentication Without a Connection to Authentication Manager You can configure RSA Authentication Agent for Microsoft Windows to extend RSA SecurID authentication to users when the connection to RSA Authentication Manager is not available (for example, when users work away from the office, or when network conditions make the connection temporarily unavailable). For more information, see Chapter 4, “Understanding Offline Authentication.” Integration of Windows Passwords into the RSA SecurID Logon Process You can configure RSA Authentication Agent for Microsoft Windows so that the Windows password is integrated into the RSA SecurID logon process. When you configure Authentication Agent in this way, users provide their Windows passwords only during their initial online authentication. At this time, the passwords are stored with users’ authentication data in the RSA Authentication Manager database and, for offline authentication, in the offline data. During subsequent authentications, users enter only their user names and RSA SecurID passcodes. Authentication Agent gets the Windows password from Authentication Manager and passes it to the RSA Authentication Agent Credential Provider. (The RSA Authentication Agent Credential Provider functions as a logon interface for end users. For example, the Windows Vista operating system comes with a Microsoft Credential Provider. For more information, see “Options for Customizing RSA Authentication Agent” on page 14.) Important: If you select the Send domain and user name to RSA Authentication Manager option in the RSA Security Center and users have more than one domain and user name, your Authentication Manager administrator must add the different accounts in Authentication Manager. If the additional accounts do not exist, users cannot log on using SecurID authentication. You can enable Windows password integration system-wide, on an individual Agent basis, or by groups. For example, to enable Authentication Agent, you create an Agent record in the RSA Authentication Manager database. You can enable Windows password integration for all the Authentication Agent computers in the database or select certain computers. For more information on the RSA Security Center, see the RSA Security Center Administrator Help. For more information on policy templates, see “Changing the Settings After Installation” on page 42 or Using RSA Group Policy Object Templates with RSA Authentication Agent 7.0 for Microsoft Windows. For more information on RSA Authentication Manager, see the RSA Authentication Manager 6.1 Administrator’s Guide. 10 1: Product Overview

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Access to Protected Desktops in Emergency Situations The exempt administrator account is an emergency access method that enables you to authenticate to a protected desktop by using your administrator account with only a Windows password instead of an RSA SecurID passcode. When you install RSA Authentication Agent for Microsoft Windows, the installation wizard prompts you to select a challenge option. If you select Enable challenge with the exclusion of the administrator, Authentication Agent challenges all users who attempt to log on to the computer for SecurID credentials (PIN and tokencode), but it cannot challenge any users who belong to the administrator group on the computer. If you decide not to exempt the users in the administrator group during installation or when you first use the configuration wizard to create an installation package, you can set that option later. For example, you can reconfigure your settings using the Authentication Agent configuration wizard to create another installation package and deploy it. Or, you could make changes to a single computer by logging as an administrator and using the RSA Security Center configuration options. (The RSA Security Center is the user interface of Authentication Agent.) For a list of other emergency access methods, see “Choose Emergency Access Methods” on page 21. Automatic Synchronization of Passwords When Microsoft Windows passwords are changed by users who have Authentication Agent installed on their computers, passwords are synchronized in corresponding accounts in the RSA Authentication Manager database. The RSA SecurID challenge settings determine which users have their passwords synchronized. For example, if you configure Authentication Agent to challenge all users, passwords are synchronized for all users. If you configure Authentication Agent to challenge only a certain group of users, passwords are synchronized only for that group of users. 1: Product Overview 11

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Central Management of Authentication Settings To install and manage RSA Authentication Agent for Microsoft Windows, you can use the configuration wizard. For example, if you need to deploy Authentication Agent to many computers in your enterprise, use the configuration wizard that comes with the product to configure the authentication settings in a copy of the RSA Authentication Agent 7.0 for Microsoft Windows.msi file and create a unique installation package. You can then deploy that package to the appropriate users in your enterprise. If you only need to install the product on a few computers, you can use the RSA Authentication Agent 7.0 for Microsoft Windows.msi and use a typical or custom installation. Once you install Authentication Agent, you can manage the authentication settings in different ways. For example, if you need to make changes to many computers, you can create another installation package using the configuration wizard and deploy it. Any changes you make override the previous settings. For more information on the installation process using the configuration wizard or MSI file, see Chapter 3, “Installing RSA Authentication Agent for Microsoft Windows.” If you prefer to use Group Policy Object templates to make modifications for numerous computers, you can set the options in the templates and apply those policies to the appropriate computers. To use the templates, you load them into the Microsoft Policy Management tool on your domain controller, and specify policy settings within the templates. The policy settings are automatically downloaded by client workstations within the domain. The RSA Group Policy Object templates are not automatically installed with the RSA Authentication Agent software. You install them separately. To get the Group Policy Object templates and the Using RSA Group Policy Object Templates with RSA Authentication Agent 7.0 for Microsoft Windows guide, go to the Authentication Agent product page on the RSA web site (www.rsa.com) and see the download page. (Go to the RSA Authentication Agent Try/Evaluate page and click Downloads from the bottom of the page.) If you only need to make changes to a single computer, you can log on to the computer as an administrator and access the configuration options through the RSA Security Center. For more information on making changes to the settings of a local computer, see the RSA Security Center Administrator Help. 12 1: Product Overview

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Automatic Update of IP Addresses The IP address of an Authentication Agent client computer enables Authentication Manager to identify the computer during authentication. If you install the Auto-Registration utility when you install Authentication Agent, the utility automatically adds the Agent host to the Authentication Manager database the first time you log on to the computer using RSA SecurID authentication. On sequential logon sessions, the utility updates the Agent host IP address. Authentication Agent also launches the Auto-Registration utility: If the IP address of Authentication Agent client computer changes When you use the RSA Security Center to clear the node secret on the Authentication Agent client computer For more information, see Chapter 5, “Understanding the Automatic Registration Process.” Access to Protected Workstations Using Only a PIN You can configure RSA Authentication Agent for Microsoft Windows to allow users to unlock their protected workstations using only their RSA SecurID PINs instead of their full passcodes. As an administrator, you can enable and disable this feature, set a time-out period for the feature, and set the number of times users can enter incorrect PINs before they are prompted for full passcodes. You configure this option using any of the following: Configuration wizard. Allows you customize your installation package for a large-scale deployment (before or after installation) RSA Group Policy Object administrator templates. Allow you to make modifications after installation through policies RSA Security Center (Authentication Agent user interface). Allows you to make changes on a single computer For more information on the configuration wizard, see Chapter 3, “Installing RSA Authentication Agent for Microsoft Windows.” For more information on the Group Policy Object templates, see Using RSA Group Policy Object Templates with RSA Authentication Agent 7.0 for Microsoft Windows. For more information on the Security Center, see the RSA Security Center Administrator Help. 1: Product Overview 13

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide Options for Customizing RSA Authentication Agent The RSA Authentication Agent Credential Provider functions as a logon interface for end users. For example, the Windows Vista operating system comes with a Microsoft Credential Provider. A user sees this as a tile with an image and a user name under the tile. The user can click the tile to open the logon prompt and log on to the computer with a Windows password. Once you install Authentication Agent, users can see the RSA Authentication Agent Credential Provider. This Credential Provider appears as an RSA SecurID tile with an image and the appropriate user name under it. You can customize the RSA Authentication Agent Credential Provider in the following ways: Specify whether logon prompts request passwords or passcodes. If you require users to log on with an RS

RSA Authentication Agent 7.0 for Windows Installation and Administration Guide 8 Preface Related Documentation For more information about th e products related to RSA Authentication Agent 7.0 for Microsoft Windows, see the following: RSA Authentication Manager documentation set. The full documentation set for

Related Documents:

RSA Authentication Agent for Microsoft Windows RSA Authentication Agent for Mi crosoft Windows works with RSA Authentication Manager to allow users to perform two-factor authentication when accessing Windows computers. Two-factor authentication requires something you know (for example, an RSA SecurID PIN) and something you have (for

RSA Authentication Agent 7.3.3 for Microsoft Windows . It is intended for administrators and other trusted personnel. Do not make this guide available to the general user population. RSA Authentication Agent GPO Template Documentation For more information about RSA Authentication Agent for Microsoft Windows, see the following documentation:

- RSA Archer eGRC Suite: Out-of-the-box GRC solutions for integrated policy, risk, compliance, enterprise, incident, vendor, threat, business continuity and audit management - RSA Policy Workflow Manager: RSA Data Loss Prevention and RSA Archer eGRC Platform - RSA Risk Remediation Manager: RSA Data Loss Prevention and RSA Archer

RSA SecurID for Windows logon BlackBerry software token Site-to-user authentication SAML 2.0 co-authors 2001 - 2002: SMS authentication Palm Pilot software token Windows Mobile software token 1986: Time-synchronous OTP (RSA SecurID) 1977: RSA Algorithm RSA Identity Assurance Apple Face ID Apple Watch 2015: 1996: RSA SecurID software token 2006 .

Each RSA number is a semiprime. (A nu mber is semiprime if it is the product of tw o primes.) There are two labeling schemes. by the number of decimal digits: RSA-100, . RSA Numbers x x., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 151024 36, 2048.

Marten van Dijk RSA Laboratories Cambridge MA marten.vandijk@rsa.com Ari Juels RSA Laboratories Cambridge MA ari.juels@rsa.com Alina Oprea RSA Laboratories Cambridge MA alina.oprea@rsa.com Ronald L. Rivest MIT Cambridge MA rivest@mit.edu Emil Stefanov UC Berkeley Berkeley CA emil@berke

The RSA Adaptive Authentication ecosystem approach is designed to enable centralized fraud management and enhance fraud detection by using data elements from external sources. The RSA Risk Engine can consume data elements that are not predefined by RSA and use these third-party facts to

The aim of this book is to introduce the idea of Extensive Reading by using Graded Readers, and to show how it should fit into an overall reading program. This booklet will: explain why Extensive Reading is so important and necessary for all language learners show how and why Extensive Reading works show teachers how to start an Extensive Reading Program suggest a balanced reading approach for .