RSA SecurID®

Setup guide: Local Authentication

DISCLAIMER

This documentation is intended for informational purposes only. These guides

reflect the NASA SEWP Security Center experiences with this product. These
guides are independent and are to be used as a reference to setting up the RSA
SecurID® product. There are no express or implied warranties regarding the
veracity of the information provided. Please read the RSA documentation for
complete product information.

Note: This is intended for setup for local authentication. Setup guide should cover things
from installing the agent to configuring the agent. The resources for information will
come directly from the RSA supplements PDF files and other docs. Other sources
provided by support documentation from the RSA help center.

RSA Agent 6.0

Local Authentication: Windows XP Pro Sp2
Note comes from download of the site not from cd (make sure you specify
where to find them.

Installing Agent:

Check List: To do first

1. Make sure that the server is installed on a machine

2. Second decide the type of install you want (in this case local
authentication.
3. Decide whether you want auto register an update to server or
you want manually create an agent host file on the server
database.
a. Recommended to auto: It will automatically do the file
creation. Otherwise the admin will have to create the
record and change it anytime the agent changes IP
address or other info.
4. Make sure server is enabled to auto register Agents
5. Make sure server is running along with the Data broker (note
data broker will automatically be running when server is
running.)
6. If you have not already done so, copy the sdconf.rec and
server.cer file from the ACEDATA
directory(C:RSA>ace>data) on the Primary RSA ACE/Server

1
 to the computers on which you plan to install these RSA
ACE/Agent components: – Local authentication client (copy to
c:/ drive)
7. Begin installing Agent on Machine

Install:
Depending if you are installing from a CD or was downloaded
from The RSA site the methods and instruction should be the same. Note that this
guide is designed from a download from the RSA site.

1. Download the .zip file from RSA website Agent 6.0

2. Unzip it contents to Desktop. It won’t matter were you put it

because it will be installed)

3. To install the agent open folder AA601_Win (or whatever it is

called)

4. Locate the RSA ACE Agent for Windows Installer package

.msi (path: AA601_Win/en/acecInt/nt_i386)

5. Double click
a. Assuming no other services is running or installed, aka
meaning no other RSA stuff is on machine. If so stop
the stuff

6. Advance through welcome pages: Choose North America then

hit Next:

2
7. select agree and click next

8. Select Custom: We are doing Local Authentication. Typical

will by default install stuff for a domain authentication.
Another setup guide.

3
9. Turn off all components except for Local Authentication Client: (click on the small
thumbnail image click on the red x to stop the installation of that feature) Hit Next

10. Locate the sdconf.rec file to identify the server: Note should be copied to c drive
(c:\sdconf.rec) If not: hit browse to locate and select the sdconf file. Depending on where
you have the file make sure you specify where to locate the file, but by default if stored
on the C Drive the program should go right to it.

4
11. If you want to change the path it’s your choice just remember its new Location
otherwise click next to keep the default.

12. Same as step 11 click next to keep default location

5
13. Choose “Do not challenge the Admin” Hit Next: Note may choose to challenge after
installation you will have to remember to go in and specify. You can also challenge all
users Caution if you log off the machine after install you will be locked out if there are
any problems of authenticating. Thus Admin not challenged allows for a way back into
the machine.

14. Click Install

6
15. Click Finish but do not restart yet….

Automated Registration of Agent Hosts

in the RSA ACE/Server Database
To install and run the Automated Agent Host Registration and Update utility:

16. Copy the sdconf.rec and server.cer files on the Primary (path!!!!) RSA ACE/Server to a
temporary directory on the Agent host. (c:\temp\)

17. Copy the sdadmreg_install.exe file from the acesupp\sdadmreg\nt_i386

directory to the temporary directory you created in the previous step. (c:\temp\)

7
NOTE: Before you run sdadmreg.exe, verify that database brokers are running on the RSA
ACE/Server.
If the RSA ACE/Server is installed on a Windows computer, starting any
RSA ACE/Server program, such as the Database Administration application, automatically starts
the database brokers.

18. On the Agent host, double-click sdadmreg_install.exe, and follow the instructions on your
screen.
The sdadmreg_install utility installs sdconf.rec, server.cer, and sdadmreg.exe in the \system32
directory.

19. Go through welcome by hit next

8
20. Accept click Yes

21. Install click Yes

9
22. Click finish (maybe verify they are in the system folder)

23. Restart machine: This will activate the Agent and the auto feature to the server. This
will start the RSA login box and request user Name and passcode.

Test the Authentication using the RSA ACE/Agent

in Control Panel.
1. Test the Authentication using the ACE/Agent.
Control Panel ---> RSA ACE/Agent --->Double click
Click on test Authentication with RSA ACE/Server.

2. Click on RSA ACE/Server Test Directly.

3. Type the securID user name and passcode.

10
4. Notice the Authentication successful message.

5. Challenge the users in a group with SecurID

a. Create a group first and add a securID user as a member to that group.
b. Set the SecurID Challenge for users in a group
Select the option “Challenge Users” in and select a group.

6. Set the reserve password.

11
Reserve password must be more than 6 characters and contain at least one number.

Document this reserve password in a secured location. This will provide access to the machine in
case of emergency and can be used only after disconnecting the machine from the network.

Offline access configuration:(not tested)

1. Control Panel -->Administrative Tools --->Services --->Double click on RSA

Authentication Agent Offline Local Properties

Click on Start button. Click OK.

Restart the machine.

Log in as a user from challenge group. You will be prompted with securID. After that you will be
prompted for Windows password. This password will be stored in ACE/Server database. Log off
and log back as same user. Notice, that you will be able to log in only with securID credentials.

Troubleshooting:
1. On ACE/server verify system configuration and confirm that password integration is enabled at
system level and Agent host level as well.
2. Make sure that on ACE/Server offline auth data daemon is running and the port 5580 is
listening.
3. Observe ACE/Server log monitor for any related errors.

12
4. On the Agent host, make sure that the service RSA Authentication Agent Offline Local is
running.
5. Enabling tracing in ACE/Agent Advanced tab. This creates ACECLIENT.LOG file in Winnt
directory on Windows
2000 machines (On Windows 2003 and XP machines trace file is created in Windows
directory).

Please refer online help menu for details.

6. In advanced tab, clear offline logon data, if password download fails.

Password recharging:

On the Agent host ---- >Task Bar ----> Double click on the RSA SecurID –Recharge offline days
icon. You can recharge the password, if you have changed the password on domain.

13
Local Authentication client (LAC) and Domain Authentication Client (DAC) can be installed on the
same machine. The limitation with this configuration is that the domain password must match with
the local password for a given user account.
Otherwise, if a local password is changed, it breaks the password integration using domain
authentication.
If the password is changed on domain, click on clear offline logon data in Advanced tab. Then
authenticate again. This will download the password again.

Enable Tracing: This creates the tracing file ACECLIENT.LOG in Winnt/System32 on Windows
2000 clients.
On Windows 2003/XP machines tracing file is created in Windows/System32.

14