Mounting A USB Drive On RSA SecurID Appliance

We copied all the token seed files into a USB drive and we do not have access to the USB port of the Windows terminal which we used to manage the RSA SecurID Appliance.  In order to import the token seed files, we carried out the belowmentioned steps:

1.     Using a third-party utility such as PuTTY, open an SSH connection to the Primary Appliance.

2.     Login using the account emcsrv and key in the password when prompted.

3.     Change to root and key in the password when prompted:

            -bash-3.00$ sudo su –

4.     Plug the USB drive into one of the USB ports behind the Appliance.

5.     Key in the below command to check that the USB drive is listed:

            [root@kandti ~]# lsusb
            Bus 002 Device 004: ID 0a16:9005 Trek Technology (S) PTE. Ltd
            Bus 002 Device 003: ID 0424:2514 Standard Microsystems Corp.
            Bus 002 Device 002: ID 8087:0020
            Bus 002 Device 001: ID 1d6b:0002
            Bus 001 Device 002: ID 8087:0020
            Bus 001 Device 001: ID 1d6b:0002

The above information shows that the Appliance recognises one USB drive named “Trek Technology (S) PTE. Ltd”.

6.     Next, find out the device which is attached to the USB drive:

            [root@kandti ~]# dmesg | grep –i disk
            sd 0:0:0:0: [sda] Attached SCSI disk
            sd 4:0:0:0: [sdb] Attached SCSI removable disk
            sd 5:0:0:0: [sdb] Attached SCSI removable disk

From the output, the device is sdb.

7.     Navigate to the directory where the USB drive is to be mounted and mount it:

            [root@kandti ~]# cd /usr/tmp
            [root@kandti tmp]# mount –t vfat /dev/sdb tmp

8.     To confirm that the USB drive is mounted, key in the below command to display the files in the directory tmp:

            [root@kandti tmp]# ls –l

9.     Copy the required token seed files from the USB drive’s mount point to the desktop of the Windows terminal via WINSCP, a third-party utility.

10.   Unmount the USB drive by issuing the below command:

            [root@kandti var]# umount /dev/sdb

11.   Proceed to import the token seeds via Security Console.

Unable To Logon Using An Unchallenged Account After RSA Agent Upgraded

We upgraded the RSA agent for some of the Windows 2003 servers from version 6.1.3 to version 7.1.2. However, it was found out that we are not able to logon to the servers using an unchallenged account (i.e. an account which is not a member of the domain group where the members will be challenged). For those servers still using 6.1.3 agent, there is no issue when we logon using the same unchallenged account.

The below message will appears:

The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

After some troubleshooting, it was found out that the logon problem happened due to AD name translation failure for the challenged group KANDTI\RSAUsers.

The below steps were carried out to ensure that the challenged group has the same sAMAccountName and Common Name:

1.     Logon to a domain controller and click Start > Administrative Tools > Active Directory Users and Computers.

2.     On the View menu, select Advanced Features.

3.     Search for the group KANDTI\RSAUsers, right-click the group and open the Properties dialog.

4.     Click on the Object tab and note down the Canonical name of object (i.e. kandti.com/Users/RSAUsers).

5.     Click OK and exit from Active Directory Users and Computers.

6.     Click Start > Run and type adsiedit.msc and click OK.

7.     Under ADSI EDIT, expand DC=kandti,DC=com.

8.     Select CN=Users and look for CN=RSAUsers.

9.     Right-click CN=RSAUsers and open the Properties dialog.

10.   Click on the Attribute Editor tab and scroll down the attributes list to find the sAMAccountName attribute.

11.   Make sure the Value for the sAMAccountName is the same as the CN (i.e. both sAMAccountName and CN should be RSAUsers).

We are able to logon successfully after making the necessary change to sAMAccountName.

Error 1324: The path RSA Security contains an invalid character (1)

When trying to uninstall the RSA agent on a Windows 2003 x86 server in order to upgrade the agent to version 6.1.3, we encountered the below error message:

Error 1324: The path RSA Security contains an invalid character.

As advised by RSA Support, the following steps were carried out:

1. Logon to the server using the local administrator account to remove the belowmentioned folders and registry settings:

File locations:

C:\Program Files\RSA Security\RSA Authentication Agent

C:\Program Files\Common Files\RSA Shared

Registry:

[HKEY_CLASSES_ROOT\rsaconf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rsaconf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls] - "RSASecurityCenter"="C:\\Program Files\\Common Files\\RSA Shared\\RSA Security Center\\SCACPL.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] - "RSANotificationIcon"="\"C:\\Program Files\\Common Files\\RSA Shared\\RSA Security Center\\RSANotificationIcon.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]- "UIService"="\"C:\\Program Files\\Common Files\\RSA Shared\\BackendUI\\UIService.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]- "C:\\Program Files\\RSA Security\\RSA Authentication Agent……….

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]- "C:\\Program Files\\Common Files\\RSA Shared……….

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] - "GinaDLL"="C:\\Program Files\\RSA Security\\RSA Authentication Agent\\AceGina.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]- "C:\\Program Files\\Common Files\\RSA Shared……….

[HKEY_LOCAL_MACHINE\SOFTWARE\RSA Security]

[HKEY_LOCAL_MACHINE\SOFTWARE\RSAACEAgents]

[HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT]

2. Reboot the server.

3. Proceed to install the RSA Authentication Agent version 6.1.3.