RSA® Authentication Agent 2.0.

3
for Microsoft® AD FS
Administrator's Guide

Revision 2
Contact Information

RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.

Trademarks

RSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its affiliates ("RSA").
For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks
are trademarks of their respective owners.

License Agreement

This software and the associated documentation are proprietary and confidential to RSA Security LLC or its
affiliates are furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation, and any
copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed on the product documentation page on RSA
Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export
of encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.

Distribution

Use, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in this
publication requires an applicable software license. RSA believes the information in this publication is accurate
as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
©
Copyright 2007-2020 RSA Security LLC or its affiliates. All Rights Reserved.

July 2020

Revised: January 2021

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Contents

Revision History 6

Preface 7

Audience 7

Support and Service 7

RSA Ready Partner Program 7

Chapter 1: Overview 9

About RSA Authentication Agent for Microsoft AD FS 10

When to Use Agent for AD FS 10

Feature Support 11

Supported Authentication Methods 12

Language Support 13

Chapter 2: Preparing for Installation 15

Requirements and Compatibility 16

Operating System and AD FS Version Requirements 16

Network Requirements 16

RSA Authentication Manager Compatibility 16

RSA SecurID Authenticator and Device Requirements 16

Web Browser Compatibility 16

Configuration Settings and Required Information 17

Prepare Users for RSA SecurID Access Authentication 19

RSA Authentication Manager Mode 19

Cloud Authentication Service Mode 20

Chapter 3: Installing or Upgrading the Agent 21

Installing the Agent 22

Before You Begin 22

Install the Agent Using the Install Wizard 22

Create a Configuration Input File for Command Line Installation 23

Install the Agent Using the Command Line 24

Next Steps 25

Upgrade to AD FS Agent 2.0.3 26

Chapter 4: Configuring and Managing the Agent 29

3
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Register the Agent in RSA Authentication Manager 30

Register or Unregister the Agent with Microsoft AD FS 30

Configure Multifactor Authentication (MFA) 30

Configure MFA on Windows Server 2019 in Desktop Experience Mode 31

Select RSA SecurID for Primary Authentication 31

Select RSA SecurID for Additional Authentication 32

Configure MFA on Windows Server 2016 or 2012 R2 in Desktop Experience Mode 32

Configure MFA on Windows Server 2019 in Server Core Mode 33

Select RSA SecurID for Primary Authentication 33

Select RSA SecurID for Additional Authentication 33

Configure MFA on Windows Server 2016 or 2012 R2 in Server Core Mode 34

Test MFA on Windows Server 2019 or 2016 in Desktop Experience Mode 34

Test MFA on Windows Server 2019 or 2016 in Server Core Mode 36

Test MFA on Windows Server 2012 R2 37

Coexistence with RSA Authentication Agent 1.0.2 for Microsoft AD FS 37

Configure Multifactor Authentication for Multiple Agent Versions 37

Restart AD FS Services 38

Import Trusted Root Certificate 38

Import Trusted Root Certificate in Desktop Experience Mode 39

Import Trusted Root Certificate in Server Core Mode 39

Add Localized Authentication Pages 40

Remove Localized Authentication Pages 40

Edit Settings Using the Agent for AD FS Configuration Utility 41

Enable or Disable FIPS on Windows Server 2019, 2016, or 2012 R2 41

Change the AD FS Theme on Windows Server 2019 42

Configure Logging 42

Default Log Format 42

Options for Size-Based Logging 42

Options for Time-Based Logging 43

RSA Group Policy Object Templates 44

Update Access Control List (ACL) Permissions 44

Repair an Installation 44

Repair an Installation Using the Install Wizard 44

4
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Repair an Installation Using the Command Line 44

Uninstall the Agent 45

Before You Begin 45

Uninstall the Agent Using Windows Control Panel 46

Uninstall the Agent Using the Install Wizard 46

Uninstall the Agent Using the Command Line 46

After You Finish 46

Chapter 5: Troubleshooting 47

Installation Logs 48

Diagnose Authentication Issues 48

Verify the Accuracy of the Computer Clock 48

Errors and Log Messages 48

Agent Log Messages 48

User-Facing Error Messages 49

Event Viewer Messages 50

5
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Revision History

Revision Number Date Revision

1 October 2020
2 January 2021
Added instructions for obtaining the RSA SecurID
Authentication API REST URL from the Cloud
Administration Console.
Added information on supported authentication
methods.
Added configuration details for using RSA
Authentication Manager 8.5 as a secure proxy
server for the Cloud Authentication Service.

6 Revision History
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Preface

Audience

This guide is for network and system administrators who deploy, configue, and manage RSA Authentication
Agent for Microsoft AD FS.

The document assumes you have experience using Microsoft Active Directory® Federation Services (AD FS) for
Windows Server ® . It also assumes you have experience with RSA Authentication Manager or the Cloud
Authentication Service, or you are working with an administrator for those products.

Support and Service

You can access community and support information on RSA Link at https://community.rsa.com. RSA Link
contains a knowledgebase that answers common questions and provides solutions to known problems, product
documentation, community discussions, and case management.

RSA Ready Partner Program

The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware
and software products that have been certified to work with RSA products. The website includes
Implementation Guides with step-by-step instructions and other information on how RSA products work with
third-party products.

Preface 7
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Chapter 1: Overview

About RSA Authentication Agent for Microsoft AD FS 10

When to Use Agent for AD FS 10

Feature Support 11

Supported Authentication Methods 12

Language Support 13

Chapter 1: Overview 9
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

About RSA Authentication Agent for Microsoft AD FS

RSA Authentication Agent for Microsoft AD FS is authentication software that connects your Microsoft Active
Directory Federation Services (AD FS) server to RSA SecurID Access using the REST protocol to provide
multifactor authentication capabilities for AD FS.

When a user attempts to access an AD FS-protected resource, the user enters username and password
credentials for primary authentication. Agent for AD FS then prompts the user to complete one or more
additional authentication methods, depending on the configured authentication mode.

Windows Server 2019 AD FS allows you to select RSA SecuID for primary authentication and Windows
authentication for secondary authentication. This configuration is not supported with earlier versions of AD FS.

Agent for AD FS supports these authentication modes:

l RSA Authentication Manager. Connects the agent to an existing RSA Authentication Manager
instance in your deployment, making the SecurID Token method available for user authentication. You
use the Operations Console, Security Console, and Self-Service Console to manage identity sources,
users, and tokens.
l RSA Authentication Manager 8.5 as a secure proxy server for the Cloud Authentication
Service. You can use RSA Authentication Manager as a secure proxy server that sends any
authentication requests that Authentication Manager cannot validate directly to the Cloud Authentication
Service. This authentication mode supports the all of the authentication methods supported by the Agent
for AD FS. It does not support certain Authentication Manager features, such as agent reporting,
enabling and disabling or restricting agents, and failover to replica instances for agents.
l Cloud Authentication Service. Connects the agent to the Cloud Authentication Service, making the
Authenticate Tokencode, Approve, Device Biometrics, SMS Tokencode, and Voice Tokencode methods
available. If Authentication Manager is integrated with the Cloud Authentication Service, RSA SecurID
Token can also be used to authenticate in this mode. You use the Cloud Administration Console to
manage identity sources, users, access policies, and authentication methods.

Note: RSA recommends Cloud Authentication Service mode for most deployments. For a complete list of
features and benefits, see Cloud Authentication Service Overview on RSA Link.

When to Use Agent for AD FS

There are two distinct integration methods by which you can connect your Microsoft AD FS environment to the
Cloud Authentication Service:

l RSA Authentication Agent for Microsoft AD FS (the agent described in this document)
l SAML identity provider configuration

For most scenarios, RSA recommends using Agent for AD FS.

By integrating Microsoft AD FS with the Cloud Authentication Service using the agent, you can continue to use
your AD FS environment for authentication and SSO, while adding advanced RSA authentication methods for
additional security. When authenticating through the agent, users have a streamlined experience that is
presented entirely within the AD FS authentication interface.

In a SAML identity provider configuration, users are redirected from the AD FS interface to the RSA SecurID

10 Chapter 1: Overview
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Access interface and back again, resulting in a functional but less-streamlined experience. If either of the
following conditions apply to your deployment, RSA recommends using SAML identity provider configuration:

l You need to use FIDO authentication (the agent does not support FIDO)
l You do not want to install or maintain additional software on your AD FS servers (the agent must be
installed on each AD FS server)

For more information on using SAML identity provider configuration to integrate Microsoft AD FS with the Cloud
Authentication Service, see https://community.rsa.com/docs/DOC-79812.

Feature Support

RSA Authentication Agent for Microsoft AD FS supports the following features:

l RSA SecurID Token authentication through RSA Authentication Manager using the REST API endpoint
over IPv4 or IPv6.
l Up to 15 RSA Authentication Manager replicas
l Agent reporting (agent sends hostname, agent version, and operating system version to Authentication
Manager 8.3 or later)
l Multifactor authentication through the Cloud Authentication Service using the REST protocol, with
support for these methods:
l RSA SecurID Token
l RSA SecurID Authenticate Tokencode
l Approve
l Device Biometrics
l SMS Tokencode
l Voice Tokencode
l Emergency Tokencode

l Supports TLS 1.2 encryption protocol (exclusively)

l Supports FIPS-enabled operating system environment
l Collection of risk and location data for use with Cloud Authentication Service access policies.

The following features are not supported by Agent for AD FS:

l FIDO authentication
l Authentication method combinations that include FIDO
l RSA SecurID authentication using legacy RSA SecurID UDP protocol
l RSA SecurID authentication using RADIUS protocol
l On-Demand authentication using RADIUS protocol
l Risk-based authentication through RSA Authentication Manager
l Risk-based authentication with single sign-on through RSA Authentication Manager
l Secondary RADIUS server support
l RSA SecurID software token automation
l RSA SecurID 800 Authenticator automation
l RSA SecurID protection of administrative interface

Chapter 1: Overview 11
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide
Note: It is not possible to upgrade older versions of Agent for AD FS to version 2.0.
Supported Authentication Methods
Scenario
Agent for AD FS connects to the Cloud
Authentication Service
Agent for AD FS connects to RSA Authentication
Manager
Agent for AD FS connects to RSA Authentication
Manager 8.5.
Authentication Manager is connected to the Cloud
Authentication Service.
Agent for AD FS deployed in Cloud Authentication
Service mode with a direct connection to
RSA Authentication Manager 8.5, which is used as
a secure proxy server to the Cloud Authentication
Service.
12
Authentication Methods
The following methods are supported:
l RSA SecurID Token
l RSA SecurID Authenticate Tokencode
l Approve
l Device Biometrics
l SMS Tokencode
l Voice Tokencode
l Emergency Tokencode
FIDO authentication and authentication method
combinations that include FIDO are not supported.
You can authenticate with RSA SecurID hardware and
software tokens.
The following Authentication Manager methods are not
supported:
l RSA RADIUS authentication
l On-demand authentication (ODA)
l Risk-based authentication (RBA)
l You can authenticate with RSA SecurID hardware
and software tokens, Authenticate Tokencode,
Approve, or Device Biometrics authentication.
l Users are prompted for Authenticate Tokencode or
RSA SecurID passcode if the Cloud Authentication
Service or the connection between Authentication
Manager and the Cloud Authentication Service is
temporarily unavailable or too slow.
Authentication Manager and Cloud Authentication Service
methods are supported:
l RSA SecurID Token
l RSA SecurID Authenticate Tokencode
l Approve
l Device Biometrics
l SMS Tokencode
l Voice Tokencode
l Emergency Tokencode
Users are prompted for Authenticate Tokencode if the Cloud
Chapter 1: Overview
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Scenario Authentication Methods

Authentication Service or the connection between
Authentication Manager and the Cloud Authentication
Service is temporarily unavailable or too slow.

Language Support

Localized (translated) authentication web pages for RSA Authentication Agent for Microsoft AD FS are available
on RSA Link. You must download and enable the localized pages to make non-English languages available to
users. When enabled, the localized pages display according to the language preferences set for the user's web
browser. For instructions, see Add Localized Authentication Pages on page 40.

Localized pages are provided for US English and the following languages:

l French (fr)
l German (de)
l Italian (it)
l Japanese (ja)
l Korean (ko)
l Portuguese (pt)
l Russian (ru)
l Simplified Chinese (zh-Hans)
l Spanish (es)

Chapter 1: Overview 13
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Chapter 2: Preparing for Installation

Requirements and Compatibility 16

Configuration Settings and Required Information 17

Prepare Users for RSA SecurID Access Authentication 19

Chapter 2: Preparing for Installation 15

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Requirements and Compatibility

Before deploying RSA Authentication Agent for Microsoft AD FS, make sure your environment meets the
following requirements.

Operating System and AD FS Version Requirements

Minimum Recommended
l Windows Server 2016 (Server Core or Desktop
Windows Server 2012 R2 (Server Core or Desktop Experience) with AD FS 4.0
Experience) with AD FS 3.0 l Windows Server 2019 (Server Core or Desktop
Experience) with AD FS 2019

Note: You must have system administrator privileges on the AD FS server, and Microsoft Active Directory
Services must be running before you install Agent for AD FS.

Network Requirements
Port Description
Used by default for REST protocol communication between the agent and Authentication Manager primary
5555 and replica instances when the agent is configured in Authentication Manager mode. The Authentication
Manager administrator can change which port is used for this purpose.
Used for REST protocol communication between the agent and the Cloud Authentication Service when the
443
agent is configured in Cloud Authentication Service mode.

RSA Authentication Manager Compatibility

RSA Authentication Manager 8.3 or later is required when Agent for AD FS is deployed in RSA Authentication
Manager mode. Authentication Manager must be deployed and running before you install the agent.

RSA Authentication Manager 8.5 is required to use Authentication Manager as a secure proxy server to the Cloud
Authentication Service.

RSA SecurID Authenticator and Device Requirements

Users must have an RSA SecurID hardware or software token to successfully authenticate when the agent is
deployed in RSA Authentication Manager mode. RSA SecurID tokens are enabled in Authentication Manager.

For Cloud Authentication Service mode, users must install and register the RSA SecurID Authenticate app on a
compatible device to authenticate using the Approve, Device Biometrics, or Authenticate Tokencode methods.
SMS Tokencode and Voice Tokencode require that the user's phone number is recorded in an identity source
connected to RSA SecurID Access, and the phone number attribute is synchronized with the Cloud
Authentication Service. To use the RSA SecurID Token method, Authentication Manager must be integrated with
the Cloud Authentication Service, and users must have SecurID hardware or software tokens. The access policy
configured for the agent must allow the authentication methods you want to make available to AD FS users.

Note: The RSA SecurID 800 Hybrid Authenticator (SecurID 800) can be used in disconnected mode only.

Web Browser Compatibility

RSA has verified the Agent for AD FS compatibility with the following web browsers:

16 Chapter 2: Preparing for Installation

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

l Internet Explorer (11)

l Google Chrome (83)
l Mozilla Firefox (68)
l Safari on Yosemite (9.1)
l Safari on iOS (13.3)
l Android Web Browser on Android 7.0

Note: JavaScript must be enabled in the browser.

Configuration Settings and Required Information

You configure the basic settings required to set up the agent using the installer. You can edit those settings and
additional options from the Agent for AD FS Configuration Utility after installing the agent. For instructions, see
Edit Settings Using the Agent for AD FS Configuration Utility on page 41.

The following table describes how to configure each setting. Before you install the agent, review these settings
and obtain the necessary configuration information from your RSA Authentication Manager or Cloud
Authentication Service administrator.

Note: The settings you can configure depend on the authentication mode you select.

Setting Details
Select an authentication mode:

l RSA Authentication Manager. Connects the agent to an existing RSA Authentication

Manager instance in your deployment, making the SecurID Token method available for
user authentication. You use the Operations Console, Security Console, and Self-Service
Console to manage identity sources, users, and tokens.
l Cloud Authentication Service. Connects the agent to the Cloud Authentication
Authentication Service, making the Authenticate Tokencode, Approve, Device Biometrics, SMS
Mode Tokencode, and Voice Tokencode methods available. If Authentication Manager is
integrated with the Cloud Authentication Service, RSA SecurID Token can also be used to
authenticate in this mode. You use the Cloud Administration Console to manage identity
sources, users, access policies, and authentication methods.

Note: RSA recommends Cloud Authentication Service mode for most deployments. For a
complete list of features and benefits, see Cloud Authentication Service Overview on RSA
Link.
Enter the REST authentication URL for either the Cloud Authentication Service or your primary
Authentication Manager instance using the following format:

https://HOSTNAME:PORT/mfa/v1_1/

If you are using Authentication Manager as a secure proxy server, enter the REST authentication
Server URL URL for your Authentication Manager primary instance.

For Authentication Manager, obtain the HOSTNAME value from the Fully Qualified Domain
Name field on the Administration > Network > Appliance Network Settings page of the
Operations Console. The default PORT is 5555.

For the Cloud Authentication Service, obtain the HOSTNAME value from the Cloud Administration

Chapter 2: Preparing for Installation 17

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Setting Details
Console. Click My Account > Company Settings > Authentication API Keys. Copy the
RSA SecurID Authentication API REST URL.The default PORT is 443.
Enter the REST authentication API access key for either RSA Authentication Manager or the Cloud
Authentication Service, depending on your authentication mode.

If you are using Authentication Manager as a secure proxy server, use an Authentication
Manager access key.
Access Key
To obtain the API access key, see the following on RSA Link:

l For RSA Authentication Manager, see Configure the RSA SecurID Authentication API for
Authentication Agents.
l For the Cloud Authentication Service, see Add an RSA SecurID Authentication API Key.
Enter a name for the agent. The name you specify is used to identify the agent in Authentication
Manager or in mobile notifications sent through the Cloud Authentication Service.

If a name is not specified, Authentication Manager uses the name "Authenticate" for the Approve
Agent Name method.

Note: The agent name must be the exact name that is used for the authentication agent record
in the Security Console. REST protocol authentication agents can use a logical name, and the
agent name is not used for DNS resolution.
Enter the REST authentication URLs for the Authentication Manager replica instances in your
deployment. If communication with the primary instance is interrupted, the agent attempts to
connect to each replica in the order that they are configured.

In the Install Wizard, you enter the URL for one replica at a time and click + to add it to the list,
or select a URL from the list and click - to remove it.
Replica Server
URLs In the configuration utility, choose an option for configuring replica server URLs:

Add Replica URL. Enter each replica URL when prompted.

Modify Existing Replica URL. Enter the number of the URL you want to modify from the list,
then enter the modified URL when prompted.

Delete Replica URL. Enter the number of the URL you want to delete from the list.
Enter the exact name (including case sensitivity) of the access policy that the agent will use as
specified in the Cloud Administration Console. An access policy is required when the agent
Access Policy connects directly to the Cloud Authentication Service or uses RSA Authentication Manager 8.5 as
a secure proxy server for the Cloud Authentication Service.

For information on viewing and adding access policies, see Manage Access Policies on RSA Link.
Enter the maximum number of seconds allowed for the agent to complete each transaction with
Authentication Manager or the Cloud Authentication Service.

Range: 1-180
Request
Timeout Default: 180

Note: If an Authentication Manager instance becomes unavailable, users may experience a

delay during authentication while the agent attempts to contact a replica instance. Setting a
lower Request Timeout value can reduce this delay.

Read Timeout Enter the maximum number of seconds allowed for the agent to connect to the authentication

18 Chapter 2: Preparing for Installation

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Setting Details
server and read the response.

Range: 1-180

Default: 60
Enter the number of times the agent will try to contact the Cloud Authentication Service or an
Authentication Manager instance if the first attempt is unsuccessful.

If the agent is in Authentication Manager mode and replicas are configured, the agent attempts
Retry Count to contact the next replica when the retry count is reached. When the retry count is reached in
Cloud Authentication Service mode, the connection fails.

Range: 1-5

Default: 3
Enter the number of minutes between polling attempts to determine whether the Authentication
Server Manager service is available.
Refresh
Minimum: 5
Interval
Default: 5
Select whether to enable collection of device fingerprint data and other information during
authentication, which the Cloud Authentication Service can use to establish a level of identity
confidence for a user. Access policies can use the Identity Confidence attribute to make it easier
for users with high identity confidence to authenticate. See Condition Attributes for Access
Risk Collection Policies on RSA Link for more information.

Note: Regardless of this setting, the agent always collects initiating IP address, user agent,
and HTTP header information during user authentication, which the Cloud Authentication
Service can use to determine authentication requirements according to the configured access
policy.
Select whether to enable collection of HTML5 geolocation data during user authentication, which
includes longitude, latitude, and a timestamp. Access policies can use the Trusted Location
attribute to make it easier for users to authenticate from specific locations. For more
Location information, see Condition Attributes for Access Policies on RSA Link.
Collection
Note: Regardless of this setting, the agent always collects initiating IP address, user agent,
and HTTP header information during user authentication, which the Cloud Authentication
Service can use to determine authentication requirements according to the configured access
policy.

Prepare Users for RSA SecurID Access Authentication

Before installing Agent for AD FS, complete the preparation tasks for the authentication mode you will configure.

RSA Authentication Manager Mode

l Assign hardware or software authenticators (tokens).
l Register users as RSA SecurID users in the Authentication Manager database and activate their tokens.

Chapter 2: Preparing for Installation 19

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

l Distribute hardware or software tokens. Provide instructions for importing a software token to the RSA
SecurID app on new software token users’ devices.
l Provide instructions for setting a PIN. Agent for AD FS supports User-Created PIN and System-Generated
PIN.
l Provide authentication instructions.

For instructions and guidance, see the RSA Authentication Manager 8.4 Administrator's Guide on RSA Link.

Cloud Authentication Service Mode

l Instruct users to install the RSA SecurID Authenticate app from the Apple App Store, Google Play, or
Microsoft Store and complete device registration if they will authenticate using the Approve, Device
Biometrics, or Authenticate Tokencode methods.
l If users will authenticate using the SMS Tokencode or Voice Tokencode methods, make sure each user's
phone number is registered with the Cloud Authentication Service. The SecurID Authenticate app and
mobile device registration are not required for these authentication methods.
l If RSA Authentication Manager is integrated with the Cloud Authentication Service and users will
authenticate using RSA SecurID tokens, assign, activate, and distribute tokens as described for RSA
Authentication Manager Mode on the previous page.
l Provide authentication instructions.

For instructions and guidance, see Cloud Authentication Service Help on RSA Link.

20 Chapter 2: Preparing for Installation

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Chapter 3: Installing or Upgrading the Agent

Installing the Agent 22

Upgrade to AD FS Agent 2.0.3 26

Chapter 3: Installing or Upgrading the Agent 21

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Installing the Agent

You can install the AD FS Agent 2.0.3 or upgrade directly to AD FS Agent 2.0.3 from AD FS Agent 2.0.1 or 2.0.2.

Install the agent using one of the following methods:

l Install Wizard. The Install Wizard guides you through the installation process. Run the Install Wizard
on each AD FS server in your deployment.
l Command Line. The installer relies on command line options and an input file to define installation
parameters, and can be run in silent mode, suppressing all interface elements. Run the command line
installation on each AD FS server in your deployment.

To upgrade the agent, see Upgrade to AD FS Agent 2.0.3 on page 26.

Before You Begin

l Copy RSA Authentication Agent v2 for Microsoft AD FS x64.msi to a folder on the system where
you will install the agent.
l Obtain the API access key for either RSA Authentication Manager or the Cloud Authentication Service,
depending on the authentication mode you will configure.
To obtain the API access key, see the following on RSA Link:
l For RSA Authentication Manager, see Configure the RSA SecurID Authentication API for
Authentication Agents.
l For the Cloud Authentication Service, see Add an RSA SecurID Authentication API Key.

l For command line installation only:

l Create an input file to pass configuration parameters to the installer. For instructions, see Create
a Configuration Input File for Command Line Installation on the facing page.
l Make sure you are familiar with installing software using the msiexec command line. For more
information, visit http://technet.microsoft.com.

Note: If Windows Server is installed in Server Core mode, you must invoke the installer from the
command line.

Install the Agent Using the Install Wizard

Perform this procedure to install RSA Authentication Agent for Microsoft AD FS using the Install Wizard.

Procedure
1. Sign into the AD FS server where you want to install Agent for AD FS.
2. Double-click RSA Authentication Agent v2 for Microsoft AD FS x64.msi to start the Install
Wizard.
3. Click Next.
4. Read and accept the license agreement, then click Next.
5. Provide the required configuration parameters. See Configuration Settings and Required Information on
page 17 for details.
6. Click Next.
7. Click Install.
8. When installation is complete, click Finish.

22 Chapter 3: Installing or Upgrading the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Create a Configuration Input File for Command Line Installation

To install Agent for AD FS using the command line, you must create an input file to pass configuration inputs to
the installer. The input file is a text file containing key-value pairs that specify agent installation parameters.
Complete the following procedure to create the input file.

Before you begin

Obtain the API access key for either RSA Authentication Manager or the Cloud Authentication Service, depending
on the authentication mode. To use Authentication Manager as a secure proxy server, you need an
Authentication Manager access key.
To obtain the API access key, see the following on RSA Link:

l For RSA Authentication Manager, see Configure the RSA SecurID Authentication API for Authentication
Agents.
l For the Cloud Authentication Service, see Add an RSA SecurID Authentication API Key.

Procedure
1. Create a text file with any file name and extension. For example, input.txt.
2. Add the following string to specify the Authentication Mode:
AUTHENTICATION_MODE= <#>
where <#> is either 1 for RSA Authentication Manager mode or 2 for Cloud Authentication Service mode.

To use RSA Authentication Manager 8.5 as a secure proxy server for the Cloud Authentication Service,
select Cloud Authentication Service mode.

3. Add the following string to specify the Server URL:

SERVER_URL= <https://www.myexampleserver.com:5555/mfa/v1_1>
where <https://www.myexampleserver.com:5555/mfa/v1_1> is the REST authentication URL for
either the Cloud Authentication Service or the primary Authentication Manager instance in your
deployment, depending on the authentication mode you specified.

If you are using Authentication Manager as a secure proxy server, enter the REST authentication URL for
your Authentication Manager primary instance.

4. Add the following string to specify the Agent Name:

AGENT_NAME= <examplename>
where <examplename> is the name you choose to identify the agent in Authentication Manager or in
mobile notifications sent through the Cloud Authentication Service.

Note: The agent name must be the exact name that is used for the authentication agent record in the
Security Console. REST protocol authentication agents can use a logical name, and the agent name is not
used for DNS resolution.

5. Add the following string to specify the Access Key:

ACCESS_KEY= <accesskey>
where <accesskey> is the access key you obtained for either RSA Authentication Manager or the Cloud
Authentication Service, depending on the authentication mode.

If you are using Authentication Manager as a secure proxy server, use an Authentication Manager access
key.

Chapter 3: Installing or Upgrading the Agent 23

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

6. Do one of the following:

l For RSA Authentication Manager mode, add the following string to specify Replica Server URLs:
REPLICA_URLS= <https://www.replica1.com:5555/mfa/v1_1,
https://www.replica2.com:5555/mfa/v1_1,
https://www.replica3.com:5555/mfa/v1_1>
where <https://www.replica1.com:5555/mfa/v1_1,
https://www.replica2.com:5555/mfa/v1_1,
https://www.replica3.com:5555/mfa/v1_1> is a comma-separated list of URLs for the
replica servers in your deployment.
l For Cloud Authentication Service mode, add the following string to specify the Access Policy:
ACCESS_POLICY= <accesspolicy>
where <accesspolicy> is the exact name (including case sensitivity) of the access policy as
specified in the Cloud Administration Console.

An access policy is required when the agent connects directly to the Cloud Authentication Service
or when the agent uses RSA Authentication Manager 8.5 as a secure proxy server to the Cloud
Authentication Service.

7. (Optional) For Cloud Authentication Service mode, add the following string if you need to disable
collection of risk data during authentication:
RISK_COLLECTION_ENABLED= false
If you do not add this string, risk data collection is enabled by default.

Note: If you disable risk collection, you cannot use the Identity Confidence access policy attribute to
determine user authentication requirements.

8. (Optional) For Cloud Authentication Service mode, add the following string to disable collection of
location data during authentication:
LOCATION_COLLECTION_REQUIRED= false
If you do not add this string, location data collection is enabled by default.

Note: If you disable location collection, you cannot use the Trusted Location access policy attribute to
determine user authentication requirements.

9. Save the file to the AD FS server where you want to install the agent.

After you finish

l Point to the input file you created by including the following in the console command when you install the
agent using the command line:
INPUTFILE=<absolute\file\path\input.txt>
where <absolute\file\path\input.txt> is the absolute file path for the input file.
l Secure or delete the input file after you install the agent, as it contains sensitive data.

Install the Agent Using the Command Line

Perform this procedure to install RSA Authentication Agent for Microsoft AD FS using the command line.

This procedure assumes that you are familiar with installing software using the msiexec command line.

Before you begin

Create an input file to pass configuration parameters to the installer. For instructions, see Create a Configuration

24 Chapter 3: Installing or Upgrading the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Input File for Command Line Installation on the previous page.

Procedure
1. Open an administrator command prompt.
2. Navigate to the directory that contains the RSA Authentication Agent v2 for Microsoft AD FS
x64.msi package file, or provide the full pathname to the package file on the command line.
3. To install RSA Authentication Agent for Microsoft AD FS, use a command similar to the following:
msiexec /i "RSA Authentication Agent v2 for Microsoft AD FS x64.msi" /L*v
install.log /q INPUTFILE=<absolute\file\path\input.txt>
where <absolute\file\path\input.txt> is the absolute file path for the input file you created.
The /q switch instructs the installer to run in silent mode.

After you finish

Secure or delete the input file, as it contains sensitive data.

Next Steps
After installing RSA Authentication Agent for Microsoft AD FS, perform these steps:

1. Register the agent in RSA Authentication Manager. For instructions, see Register the Agent in RSA
Authentication Manager on page 30.
2. Register the agent in the Windows Server Manager. For instructions, see Register or Unregister the
Agent with Microsoft AD FS on page 30.
3. Import the trusted root CA certificate from either Authentication Manager or the Cloud Authentication
Service. For instructions, see Import Trusted Root Certificate on page 38
4. Configure multifactor authentication settings for your environment. For instructions, see Configure
Multifactor Authentication (MFA) on page 30.
5. (Optional) Configure additional settings such as Request Timeout, Read Timeout, and Retry Count using
the configuration utility. For more information, see Edit Settings Using the Agent for AD FS Configuration
Utility on page 41.
6. (Windows Server 2019 only) Change the AD FS theme from a right alignment to a center alignment. For
instructions, see Change the AD FS Theme on Windows Server 2019 on page 42.

Chapter 3: Installing or Upgrading the Agent 25

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Upgrade to AD FS Agent 2.0.3

You can upgrade to AD FS Agent 2.0.3 from AD FS Agent 2.0.1 or AD FS Agent 2.0.2.

Before you begin

Administrator privileges are required.

Procedure
1. Unregister the current AD FS Agent 2.0.1 or 2.0.2 on the primary federation server:
a. Sign into the primary AD FS server where you installed the agent.
b. Open a PowerShell command prompt, and enter the following to run the Agent for AD FS
Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\scripts' .\MFAAuthProviderConfigSettings.ps1
c. From the Main Menu, enter 5 to select Unregister Agent.

2. On each federation server in your AD FS deployment, extract the files from the AD FS Agent kit. You can
run the .msi file from any directory.
3. From a command prompt, change the directory to the .msi file location, and run the following:
msiexec /i "RSA Authentication Agent v2 for Microsoft AD FS x64.msi"
REINSTALL=ALL REINSTALLMODE=vomus
If you encounter problems with the upgrade or want to create an installation log, run the following
command instead:
msiexec /i "RSA Authentication Agent v2 for Microsoft AD FS x64.msi" /l*v
install.log REINSTALL=ALL REINSTALLMODE=vomus
4. Repeat steps 2 and 3 to install or upgrade the AD FS agent on all federation servers in your AD FS
deployment.
5. Register the agent on the primary federation server:
a. Sign into the Primary AD FS server where you installed the agent.
b. Open a PowerShell command prompt.
c. Enter the following to run the Agent for AD FS Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\scripts' .\MFAAuthProviderConfigSettings.ps1
d. From the Main Menu, enter 4 to select Register Agent.

6. Restart Active Directory Federation Services (adfssrv) on each federation server in your AD FS
deployment:
a. Sign into each AD FS server where you installed the agent.
b. Open a PowerShell command prompt.
c. Enter the following to run the Agent for AD FS Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\scripts' .\MFAAuthProviderConfigSettings.ps1
d. From the Main Menu, enter 3 to select Restart AD FS.

26 Chapter 3: Installing or Upgrading the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

After you finish

l Test multifactor authentication on the AD FS agent. For instructions, see Test MFA on Windows Server
2019 or 2016 in Desktop Experience Mode on page 34, Test MFA on Windows Server 2019 or 2016 in
Server Core Mode on page 36, or Test MFA on Windows Server 2012 R2 on page 37. If you are unable to
authenticate, see Troubleshooting on page 47.
l (Windows Server 2019 only) Change the AD FS theme from a right alignment to a center alignment. For
instructions, see Change the AD FS Theme on Windows Server 2019 on page 42.
l (Optional) To allow users to set a Windows Hello for Business PIN, you must download and deploy the
updated RSA GPO templates that are available for AD FS Agent 2.0.2 or later and then disable the
“Validate the Authentication Context” policy setting. For instructions, see Chapter 2, "Deploying Group
Policy Object Templates" in the RSA Authentication Agent 2.0.3 for Microsoft AD FS GPO Template Guide.

Chapter 3: Installing or Upgrading the Agent 27

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Chapter 4: Configuring and Managing the Agent

Register the Agent in RSA Authentication Manager 30

Register or Unregister the Agent with Microsoft AD FS 30

Configure Multifactor Authentication (MFA) 30

Coexistence with RSA Authentication Agent 1.0.2 for Microsoft AD FS 37

Restart AD FS Services 38

Import Trusted Root Certificate 38

Add Localized Authentication Pages 40

Remove Localized Authentication Pages 40

Edit Settings Using the Agent for AD FS Configuration Utility 41

Enable or Disable FIPS on Windows Server 2019, 2016, or 2012 R2 41

Change the AD FS Theme on Windows Server 2019 42

Configure Logging 42

RSA Group Policy Object Templates 44

Update Access Control List (ACL) Permissions 44

Repair an Installation 44

Uninstall the Agent 45

Chapter 4: Configuring and Managing the Agent 29

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Register the Agent in RSA Authentication Manager

After you install the Authentication Agent for AD FS, you must register it with Authentication Manager if you are
using Authentication Manager mode.

Before you begin

Make sure you know the Agent Name you specified when installing Agent for AD FS.

Procedure
1. Sign into the RSA Security Console.
2. Click Access > Authentication Agents > Add New.
3. Enter the required information. Make sure the Agent Type is set to Standard Agent (default setting).
Authentication Manager uses this setting to determine how to communicate with Microsoft AD FS.
4. Click Save.

Register or Unregister the Agent with Microsoft AD FS

After installing RSA Authentication Agent for Microsoft AD FS on all federation servers in your AD FS deployment,
you must register the agent on the primary federation server using the RSA Agent for AD FS Configuration
Utility. If you need to uninstall the agent, you must unregister it first.

Procedure
1. Sign into the primary AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following to run the Agent for AD FS Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\scripts'
.\MFAAuthProviderConfigSettings.ps1
4. From the Main Menu, do one of the following:
l Enter 4 to select Register Agent.
l Enter 5 to select Unregister Agent.

After you finish

Restart Active Directory Federation Services (adfssrv) on each server in the AD FS deployment. For instructions,
see Restart AD FS Services on page 38.

Configure Multifactor Authentication (MFA)

After installing and registering Agent for AD FS, you must configure the Microsoft AD FS global authentication
policy to enforce multifactor authentication using the agent. Perform the procedure appropriate for the
operating system on your AD FS server.

Windows Server 2016 with AD FS 4.0 and Windows Server 2012 R2 with AD FS 3.0 support selecting Windows
credentials as the primary authentication method and requiring RSA SecurID for additional authentication.

30 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Windows Server 2019 AD FS supports two approaches for user authentication on AD FS-protected resources:

l You can select RSA SecurID as the primary authentication method and only use Windows authentication
as a secondary authentication method.
l You can select Windows credentials as the primary authentication method and require RSA SecurID for
additional authentication.

RSA SecurID allows your users to authenticate with any of the multifactor authentication methods supported by
RSA Authentication Manager or the Cloud Authentication Service, such as Authenticate Tokencode, Approve, or
RSA SecurID Tokens.

For additional information on configuring AD FS authentication methods on Windows Server 2019, see
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/additional-authentication-
methods-ad-fs.

Configure MFA on Windows Server 2019 in Desktop Experience Mode

Windows Server 2019 AD FS supports two approaches for user authentication.

For additional information on configuring AD FS authentication methods on Windows Server 2019, see
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/additional-authentication-
methods-ad-fs.

Select RSA SecurID for Primary Authentication

You can select RSA SecurID as the primary authentication method and use Windows authentication as a
secondary authentication method.

Before you begin

Make sure to set the policy setting "Validate the AD FS for authentication context" to Disabled.

After disabling this policy setting, unregister the Agent for AD FS and then register the agent again. For
instructions, see Register or Unregister the Agent with Microsoft AD FS on the previous page.

Procedure
1. Click Start > Server Manager.
2. Click Tools > AD FS Management.
3. In the left-hand frame, click Service > Authentication Methods.
4. In the center frame, in the Primary Authentication Methods section, click Edit.
The Edit Authentication Methods window appears.
5. Select the Allow additional authentication providers as primary checkbox.
6. A warning message is displayed. Click OK.
7. On the Edit Authentication Methods window, click Apply and click OK.
8. Again, in the Primary Authentication Methods section, click Edit.
9. Verify that RSA SecurID Access Authentication Agent v2.0 checkbox is displayed in the Extranet
and Intranet sections. Select the RSA SecurID Access Authentication Agent v2.0 checkbox in both
sections.
10. On the Additional tab, select the Forms Authentication checkbox.
11. Click Apply and click OK.

Chapter 4: Configuring and Managing the Agent 31

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page. For instructions, see Test MFA on
Windows Server 2019 or 2016 in Desktop Experience Mode on page 34.

Select RSA SecurID for Additional Authentication

You can select Windows credentials as the primary authentication method and require RSA SecurID for
additional authentication.

Procedure
1. Click Start > Server Manager.
2. Click Tools > AD FS Management.
3. In the left-hand frame, click Service > Authentication Methods.
4. In the center frame, in the Additional Authentication Methods section, click Edit.
The Edit Authentication Methods window appears.
5. On the Additional tab, select the checkbox for RSA SecurID Access Authentication Agent v2.0.
6. Click OK.

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page. For instructions, see Test MFA on
Windows Server 2019 or 2016 in Desktop Experience Mode on page 34.

Configure MFA on Windows Server 2016 or 2012 R2 in Desktop Experience

Mode
Procedure
1. Click Start > Server Manager.
2. Click Tools > AD FS Management.
3. In the left-hand frame, click Service > Authentication Methods.
4. In the center frame, in the Multi-factor Authentication section, click Edit.
The Edit Global Authentication Policy window appears.
5. On the Multi-factor tab, select the checkbox for RSA SecurID Access Authentication v2.0, and
verify that settings in the Users/Groups, Devices, and Locations sections are set appropriately for
your environment.

Note: If RSA Authentication Agent 1.0.2 for Microsoft AD FS is also installed in your AD FS environment,
it appears on this page as RSA SecurID Authentication, and can be enabled or disabled using the
corresponding checkbox.

6. Click OK.

32 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page. For instructions, see Test MFA on
Windows Server 2019 or 2016 in Desktop Experience Mode on the next page or Test MFA on Windows
Server 2012 R2 on page 37, depending on your operating system.

Configure MFA on Windows Server 2019 in Server Core Mode

Windows Server 2019 AD FS supports two approaches for user authentication.

For additional information on configuring AD FS authentication methods on Windows Server 2019, see
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/additional-authentication-
methods-ad-fs.

Select RSA SecurID for Primary Authentication

You can select RSA SecurID as the primary authentication method and only use Windows authentication as a
secondary authentication method.

Before you begin

Make sure to set the policy setting "Validate the AD FS for authentication context" to Disabled.

After disabling this policy setting, unregister the Agent for AD FS and then register the agent again. For
instructions, see Register or Unregister the Agent with Microsoft AD FS on page 30.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following two commands to add Agent for AD FS as an additional authentication provider:

Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary
$true
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider
SecurIDv2Authentication -PrimaryExtranetAuthenticationProvider
SecurIDv2Authentication -AdditionalAuthenticationProvider FormsAuthentication

4. Enter the following command, and verify that SecurIDv2Authentication is set as the Primary
Authentication Provider and FormsAuthentication is set as the Additional Authentication Provider:
Get-AdfsGlobalAuthenticationPolicy

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page (Windows Server 2016 only). For
instructions, see Test MFA on Windows Server 2019 or 2016 in Server Core Mode on page 36.

Select RSA SecurID for Additional Authentication

You can select Windows credentials as the primary authentication method and require RSA SecurID for

Chapter 4: Configuring and Managing the Agent 33

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

additional authentication.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following command to add Agent for AD FS as an additional authentication provider:
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider
"SecurIDv2Authentication"
4. Enter the following command, and verify that SecurIDv2Authentication appears in the list of
authentication providers returned:
Get-AdfsGlobalAuthenticationPolicy

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page (Windows Server 2016 only). For
instructions, see Test MFA on Windows Server 2019 or 2016 in Server Core Mode on page 36.

Configure MFA on Windows Server 2016 or 2012 R2 in Server Core Mode

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following command to add Agent for AD FS as an additional authentication provider:
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider
"SecurIDv2Authentication"
4. Enter the following command, and verify that SecurIDv2Authentication appears in the list of
authentication providers returned:
Get-AdfsGlobalAuthenticationPolicy

Note: If RSA Authentication Agent 1.0.2 for Microsoft ADFS is also installed in your ADFS environment,
additional commands may be required. For instructions, see Configure Multifactor Authentication for
Multiple Agent Versions on page 37.

After you finish

l Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
l (Optional) Test the MFA configuration using the AD FS test page (Windows Server 2016 only). For
instructions, see Test MFA on Windows Server 2019 or 2016 in Server Core Mode on page 36 or Test
MFA on Windows Server 2012 R2 on page 37, depending on your operating system.

Test MFA on Windows Server 2019 or 2016 in Desktop Experience Mode

AD FS for Windows Server 2016 includes a test page which you can use to verify that multifactor authentication
and Agent for AD FS are configured and working properly. Perform this procedure to enable the test page and
conduct a test authentication if Windows is installed in Desktop Experience mode.

34 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Procedure
1. Sign into the server where you installed the agent.
2. Open a Powershell command prompt.
3. Enter the following command to enable the test page:
Set-AdfsProperties -EnableIdPInitiatedSignonPage:$true
4. Click Start > Server Manager.
5. Click Tools > AD FS Management.
6. In the left-hand frame, click Application Groups.
7. In the right-hand frame, click Add Application Group.
8. In the Name field, enter a name for the application group.
9. Select Template > Web browser accessing a web application.
10. Click Next.
11. In the Redirect URI field, enter:
https://<youradfs>.<yourdomain.com>/adfs/ls/idpinitiatedsignon
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your
domain.
12. Click Add.
13. Click Next.
14. Select Choose an access control policy > Permit everyone and require MFA.
15. Click Next.
16. Click Next.
17. Click Close.
18. In the center frame, select the application group you specified in Step 8.
19. In the right-hand frame, select Properties.
20. Select <Name> - Web application
where <Name> is the application group you specified in Step 8.
21. Click Edit.
22. Under Identifiers > Relying party identifier, enter:
http://<youradfs>.<yourdomain.com>/adfs/services/trust
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your
domain.
To get the correct value, run the get-adfsproperties command from PowerShell, and look for the
identifier value.
23. Click Add.
24. Click OK.
25. In the left-hand frame, select Access Control Policies.
26. Double-click Permit everyone and require MFA.
27. Select the Assigned To tab.
28. Verify that <Name> - Web application is present in the Application Name list
where <Name> is the application group you specified in Step 8.
29. Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.

Chapter 4: Configuring and Managing the Agent 35

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

30. Open a web browser and navigate to:

https://<youradfs>.<yourdomain.com>/adfs/ls/idpinitiatedsignon
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your
domain.
31. Enter appropriate credentials, and verify that authentication works properly.

Test MFA on Windows Server 2019 or 2016 in Server Core Mode

AD FS for Windows Server 2016 includes a test page which you can use to verify that multifactor authentication
and Agent for AD FS are configured and working properly. Perform this procedure to enable the test page and
conduct a test authentication if Windows is installed in Server Core mode.

Procedure
1. Sign into the server where you installed the agent.
2. Open a Powershell command prompt.
3. Enter the following command to enable the test page:
Set-AdfsProperties -EnableIdPInitiatedSignonPage:$true
4. Enter the following, and record the Identifier value returned by the command:
Get-AdfsProperties
5. Enter the following commands to add the application group:
New-AdfsApplicationGroup -Name <GroupName>
Set-AdfsApplicationGroup -TargetApplicationGroupIdentifier <GroupName>
where <GroupName> is a name you choose for the application group.
6. Enter the following command to add the ADFS Native Client Application to the application group:
Add-AdfsNativeClientApplication -Name <ClientAppName> -Identifier <ID> -
ApplicationGroupIdentifier <GroupName> -RedirectUri <IDPSignOnURL>
where <ClientAppName> is the ADFS client application name, <ID> is an alphanumeric string you
choose, <GroupName> is the name of the group you chose in Step 5, and <IDPSignOnURL> is the fully
qualified URL for the IDPInitiatedSignOn page.
7. Open a web browser and navigate to:
https://<youradfs>.<yourdomain.com>/adfs/ls/idpinitiatedsignon
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your
domain.
8. Enter the following commands to add the ADFS Web API Application:
$IDs = @("<ID>","<IDPSignOnID>")
Add-AdfsWebApiApplication -Name <WebAPIAppName> -Identifier $IDs -AccessControlPolicyName
"Permit everyone and require MFA" -ApplicationGroupIdentifier <GroupName>
where <ID> is the alphanumeric string you specified in Step 6, <IDPSignOnID> is the Identifier value
you obtained in Step 4, <WebAPIAppName> is the ADFS web API application name, and <GroupName> is
the group name specified in Step 5.
9. Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.
10. Open a web browser and navigate to:
https://<youradfs>.<yourdomain.com>/adfs/ls/idpinitiatedsignon
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your

36 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

domain.
11. Enter appropriate credentials, and verify that authentication works properly.

Test MFA on Windows Server 2012 R2

AD FS for Windows Server 2012 R2 includes a test page which you can use to verify that multifactor
authentication and Agent for AD FS are configured and working properly. Perform this procedure to conduct a
test authentication.

Procedure
1. Open a web browser and navigate to:
https://<youradfs>.<yourdomain.com>/adfs/ls/idpinitiatedsignon
where <youradfs> is the name of your AD FS server, and <yourdomain.com> is the name of your
domain.
2. Enter appropriate credentials, and verify that authentication works properly.

Coexistence with RSA Authentication Agent 1.0.2 for Microsoft AD

FS

You can install RSA Authentication Agent 2.0 for Microsoft AD FS in an AD FS environment where version 1.0.2
of the agent already exists. When both versions of the agent are installed, you can choose which version AD FS
uses for multifactor authentication, or you can enable both versions to let users choose the version they prefer
when prompted to authenticate. Perform this procedure to configure the AD FS multifactor authentication policy
for multiple agent versions.

When installing or uninstalling multiple agent versions:

l Always install and register version 1.0.2 before installing and registering version 2.0
l If you unregister and uninstall version 1.0.2, you must re-register version 2.0.
l Registering version 2.0 disables all other multifactor authentication providers configured for AD FS.
Always reconfigure MFA after installing and registering version 2.0. For instructions, see Configure
Multifactor Authentication (MFA) on page 30.

Configure Multifactor Authentication for Multiple Agent Versions

If the AD FS server is running Windows in Desktop Experience mode, you can enable or disable either version of
the agent using the instructions provided in Configure Multifactor Authentication (MFA) on page 30. If Windows
is running in Server Core mode, use the following procedure.

Chapter 4: Configuring and Managing the Agent 37

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Procedure
1. Sign into the server where you installed both versions of the agent.
2. Open a PowerShell command prompt.
3. Do one of the following, depending on the agent or agents you want AD FS to use for multifactor
authentication:
l To enable only agent version 1.0.2, enter the following command:
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider
"SecurIDAuthentication"
l To enable only agent version 2.0, enter the following command:
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider
"SecurIDv2Authentication"
l To enable both agent versions, enter the following set of commands:
$METHODS = @("SecurIDAuthentication","SecurIDv2Authentication")
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $METHODS

After you finish

Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS Services
below.

Restart AD FS Services

After installing and registering Agent for AD FS, you must restart Active Directory Federation Services (adfssrv)
on each AD FS server in your deployment.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following to run the Agent for AD FS Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\scripts'
.\MFAAuthProviderConfigSettings.ps1
4. From the Main Menu, enter 3 to select Restart AD FS.

Import Trusted Root Certificate

After installing the agent, you must import the trusted root CA certificate from RSA Authentication Manager or
the Cloud Authentication Service, depending on whether the agent connects to Authentication Manager or the
Cloud Authentication Service.

If you are using Authentication Manager as a secure proxy server, you must import the trusted root
CA certificate from Authentication Manager.

You can obtain this certificate from your Authentication Manager or Cloud Authentication Service administrator.
(For instructions, see the knowledgebase article How to export RSA SecurID Access Authentication Manager or
Cloud Authentication Service Root Certificate.)

Perform the procedure appropriate for the operating system on your AD FS server.

38 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Import Trusted Root Certificate in Desktop Experience Mode

Perform this procedure on each AD FS server to import the certificate if Windows is running in Desktop
Experience mode.

Before you begin

Obtain the trusted root CA certificate from your Authentication Manager or Cloud Authentication Service
administrator and copy it to a location on the AD FS server.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Run mmc.exe to open the Microsoft Management Console.
3. Click File > Add/Remove Snap-In.
4. Double-click Certificates.
5. Select Computer Account, then click Next.
6. Select Local Computer, then click Finish.
7. Click OK.
8. Navigate to Certificates(Local Computer) > Trusted Root Certification Authorities >
Certificates.
9. Right-click Certificates and select All Tasks > Import.
10. Click Next.
11. Click Browse, then select the certificate you would like to import and click Open.
12. Click Next.
13. Select Place all certificates in the following store.
14. Click Browse, then select Trusted Root Certification Authorities and click OK.
15. Click Next.
16. Click Finish & OK.

Import Trusted Root Certificate in Server Core Mode

Follow this procedure to import the certificate in Server Core mode on each AD FS server where you install the
agent.

Before you begin

Obtain the trusted root CA certificate from your Authentication Manager or Cloud Authentication Service
administrator and copy it to a location on the AD FS server.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following commands to import the certificate:
IMPORT-MODULE PKI
SET-LOCATION CERT:
Get-ChildItem –Path <c:\CertDirectory\mycert.cer> | Import-Certificate –
CertStoreLocation cert:\LocalMachine\Root
where <c:\CertDirectory\mycert.cer> is the full file path of the certificate.

Chapter 4: Configuring and Managing the Agent 39

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Add Localized Authentication Pages

Perform this procedure to make non-English Authentication Agent for AD FS authentication pages available
according to the language preferences set in each user's web browser.

Before you begin

Download the language file package ADFSAgentv2LocalizedPages.zip from RSA Link:

https://community.rsa.com/community/products/securid/authentication-agent-AD FS/downloads/content

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Copy the contents of ADFSAgentv2LocalizedPages.zip to C:\Program Files\RSA\RSA
Authentication Agent\AD FS MFA Adapter\lang\, replacing any duplicate files.
3. Open a PowerShell command prompt.
4. Enter the following to run the Agent for AD FS localization script:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\lang'
.\MFAAuthProviderLocalization.ps1
5. Enter 1 to add and enable the localized language resource files.
6. Enter 3 to exit.

After you finish

Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS Services on
page 38.

Remove Localized Authentication Pages

Perform this procedure to remove non-English Authentication Agent for AD FS authentication pages from the AD
FS server.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following to run the Agent for AD FS localization script:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\lang'
.\MFAAuthProviderLocalization.ps1
4. Enter 2 to remove localized language resource files.
5. Enter 3 to exit.
6. Delete the language files from C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\lang\.

After you finish

Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS Services on
page 38.

40 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Edit Settings Using the Agent for AD FS Configuration Utility

When you install Agent for AD FS, you configure basic settings using the installation wizard. If you need to
modify those settings after installation, you can use the Agent for AD FS Configuration Utility. The configuration
utility provides options to view and edit agent settings, restart the AD FS service, and register or unregister the
agent with Microsoft AD FS. Some settings are only available in the configuration utility.

Procedure
1. Sign into the AD FS server where you installed the agent.
2. Open a PowerShell command prompt.
3. Enter the following to run the Agent for AD FS Configuration Utility:
cd 'C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\scripts'
.\MFAAuthProviderConfigSettings.ps1
4. From the Main Menu, enter 2 to select Edit Settings.

Note: You can enter 1 to select View Current Settings if you want to check the current configuration
without making changes.

5. From the Edit Settings menu, enter the number of the setting you want to modify. This menu displays
different options depending on the currently configured authentication mode.
6. Provide the required configuration parameters. See Configuration Settings and Required Information on
page 17 for details.
7. Enter Y when prompted to return to the Main Menu, or enter N to proceed to the next configurable
setting.
8. When you are done editing settings, enter 3 from the Main Menu to restart the AD FS service, and enter
6 from the Main Menu to exit the configuration utility.

Enable or Disable FIPS on Windows Server 2019, 2016, or 2012 R2

The Federal Information Processing Standard (FIPS) is a United States government computer security standard
used to approve cryptographic modules. Perform this procedure to enable FIPS on Windows Server 2019, 2016,
or 2012 R2.

Procedure
1. Sign into the AD FS server as an administrator.
2. Click Start > Control Panel > Administrative Tools > Local Security Policy.
The Local Security Settings window appears.
3. In the navigation pane, click Local Policies, then Security Options.
4. In the right-side pane, double-click System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing.
5. In the dialog box that appears, click Enabled or Disabled based on your deployment requirements, and
then click Apply.
6. Click OK.
7. Close the Local Security Settings window.

Chapter 4: Configuring and Managing the Agent 41

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Change the AD FS Theme on Windows Server 2019

After installing and registering Agent for AD FS on Windows Server 2019, you must change the AD FS theme
from a right alignment to a center alignment. This change allows authentication windows to display correctly.

Windows Server 2016 with AD FS 4.0 and Windows Server 2012 R2 with AD FS 3.0 do not require this
procedure.

Procedure
1. On the Windows Server 2019 on which you installed or upgraded the agent, open a PowerShell
command prompt.
2. Enter the following to get details of the current theme:
Get-AdfsWebConfig
3. Enter the following to see the different themes that are supported by AD FS 2019:
Get-AdfsWebTheme | Select Name
4. Enter the following to change to a center alignment theme that is introduced in AD FS 2019:
Set-AdfsWebConfig -ActiveThemeName DefaultAdfs2019

Configure Logging

Logging is enabled by default when you install Agent for AD FS. You can customize logging options by manually
editing the log4net.config file in the C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\config directory. You can change the following parameters using the log file syntax provided.

Note: You must restart Microsoft Active Directory Federation Services (adfssrv) after modifying
log4net.config. For instructions, see Restart AD FS Services on page 38.

Default Log Format

You can specify the logging format. Specify either SizeBasedRotation or TimeBasedRotation as shown:

<root>

<level value="ALL" />

<appender-ref ref="SizeBasedRotation"/>

</root>

The default format is size-based logging.

Options for Size-Based Logging

Configure options for size-based logging by editing the following parameters.

Log Rotation

You can enable log rotation by setting the appender tag as shown:

<appender name="SizeBasedRotation" type="log4net.Appender.RollingFileAppender">

Log File Name

You can specify the name of the log file. For example:

42 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

<file value="c:\\Program Files\\RSA\\RSA Authentication Agent\\AD FS MFA

Adapter\\logs\\rsa_adfs.log" />

Log File Size

You can specify the maximum log file size. For example:

<maximumFileSize value="10MB" />

The default maximum file size is 10MB.

Log File Count

You can specify the maximum number of log files to be saved. When the maximum log file count is reached,
older log files are overwritten.

<maxSizeRollBackups value="10" />

Default log file count is 10.

Log Levels

Agent features log levels in the following sequence: Debug > Info > Warn > Error > Fatal

The agent will log all messages between the minimum and maximum levels you specify. The following example
values will log all messages for the Info, Warn, Error, and Fatal levels, but will not log Debug messages:

<filter type="log4net.Filter.LevelRangeFilter">

<levelMin value="INFO" />

<levelMax value="FATAL" />

</filter>

Options for Time-Based Logging

Configure options for time-based logging by editing the following parameters.

Log Rotation

You can enable log rotation by setting the appender tag as shown:

<appender name="TimeBasedRotation" type="log4net.Appender.RollingFileAppender">

Log Levels

Agent features log levels in the following sequence: Debug > Info > Warn > Error > Fatal

The agent will log all messages between the minimum and maximum levels you specify. The following example
values will log all messages for the Info, Warn, Error, and Fatal levels, but will not log Debug messages:

<filter type="log4net.Filter.LevelRangeFilter">

<levelMin value="INFO" />

<levelMax value="FATAL" />

</filter>

Log File Name

You can specify the name of the log file. For example:

Chapter 4: Configuring and Managing the Agent 43

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

<file value="c:\\Program Files\\RSA\\RSA Authentication Agent\\AD FS MFA

Adapter\\logs\\rsa_adfs.log" />

Log File Date Pattern

The log file name will be appended with the date pattern you specify. For example:

<datePattern value="-yyyyMMdd-HHmm" />

RSA Group Policy Object Templates

The RSA Group Policy Object (GPO) template files allow you to configure additional settings for Authentication
Agent for AD FS. For more information, see the Group Policy Object Template Guide. available on RSA Link:
https://community.rsa.com/community/products/securid/authentication-agent-AD FS

Update Access Control List (ACL) Permissions

If you change the service account used for managing the AD FS server, you must transfer the required Agent for
AD FS file permissions to the new service account. To transfer file permissions, run the ACL update script:
C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA
Adapter\scripts\MFAAuthProviderACLSettings.ps1.

Repair an Installation

Repairing an installation replaces missing files in a damaged installation. You can repair the installation using
the Install Wizard or the command line.

Repair an Installation Using the Install Wizard

Procedure
1. Copy RSA Authentication Agent v2 for Microsoft AD FS x64.msi to a folder on the system where
you want to repair the installation.
2. Double-click RSA Authentication Agent v2 for Microsoft AD FS x64.msi to run the installer.
3. Click Next.
4. Select Repair, then click Next.
5. Click Repair.

Note: The installer may prompt you to close files or applications that will be modified during the repair
process.

6. Click Finish to exit the wizard.

Repair an Installation Using the Command Line

Procedure
1. Copy RSA Authentication Agent v2 for Microsoft AD FS x64.msi to a folder on the system where
you want to repair the installation.

44 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

2. Open a command prompt.

3. Navigate to the directory that contains the RSA Authentication Agent v2 for Microsoft AD FS
x64.msi package file, or provide the full pathname to the package file on the command line.
4. Enter a command similar to the following.
msiexec /f "RSA Authentication Agent v2 for Microsoft AD FS x64.msi" /q /L*v
repair.log
The /q switch instructs the installer to run in silent mode.

Uninstall the Agent

You can uninstall the agent using Windows Control Panel, the Install Wizard, or the command line. To uninstall
the product from multiple AD FS servers simultaneously, you must use the command line.

Before You Begin

Unregister the agent with Microsoft AD FS. For instructions, see Register or Unregister the Agent with Microsoft
AD FS on page 30.

If you added non-English Authentication Agent for AD FS authentication pages, remove them from the AD FS
server. For instructions, see Remove Localized Authentication Pages on page 40.

On Windows Server 2019 with AD FS 2019, if RSA SecurID Access is configured as the primary authentication
method, perform one of the following procedures to remove this setting:

l Desktop Experience Mode. Do the following:

1. Click Start > Server Manager.
2. Click Tools > AD FS Management.
3. In the left-hand frame, click Service > Authentication Methods.
4. In the center frame, in the Primary Authentication Methods section, click Edit.
5. In the Edit Authentication Methods window, clear the Allow additional authentication
methods as primary checkbox, and select the Forms Authentication and Windows
Authentication checkboxes.
6. Click Apply and click OK.
7. Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD
FS Services on page 38.

l Server Core Mode. Open a PowerShell command prompt, and execute the following two commands:
Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary
$false
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider
WindowsAuthentication, FormsAuthentication, MicrosoftPassportAuthentication -
PrimaryExtranetAuthenticationProvider FormsAuthentication,
MicrosoftPassportAuthentication -AdditionalAuthenticationProvider $null

Restart Microsoft Active Directory Federation Services (adfssrv). For instructions, see Restart AD FS
Services on page 38.

Chapter 4: Configuring and Managing the Agent 45

RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Uninstall the Agent Using Windows Control Panel

Procedure
1. From the Start menu, click Control Panel > Programs > Programs and Features.
2. In the program list, click RSA Authentication Agent v2.0 for Microsoft AD FS.
3. Click Uninstall.
4. Restart the server if prompted. If you cancel the uninstall process, the application reverts to its previous
state.

Uninstall the Agent Using the Install Wizard

Procedure
1. Copy RSA Authentication Agent v2 for Microsoft AD FS x64.msi to a folder on the system where
you want to uninstall the product.
2. Double-click RSA Authentication Agent v2 for Microsoft AD FS x64.msi to run the installer.
3. Click Next.
4. Select Remove, then click Next.
5. Click Remove.
6. Click Finish to exit the wizard.

Uninstall the Agent Using the Command Line

Procedure
1. Copy RSA Authentication Agent v2 for Microsoft AD FS x64.msi to a folder on the system where
you want to uninstall the product.
2. Open a command prompt.
3. Enter the following command:
msiexec /x "RSA Authentication Agent v2 for Microsoft AD FS x64.msi" /L*v
uninstall.log /q FORCEUNINSTALL=false
The /q switch instructs the installer to run in silent mode. FORCEUNINSTALL=false aborts the
installation if the agent has not been unregistered from Microsoft AD FS.

After You Finish

If the C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\lang\ folder still exists
after uninstallation, delete it and any files it contains.

46 Chapter 4: Configuring and Managing the Agent

 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Chapter 5: Troubleshooting

Installation Logs 48

Diagnose Authentication Issues 48

Chapter 5: Troubleshooting 47
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Installation Logs

If you encounter problems while installing, repairing, or uninstalling the agent, check install.log, repair.log, or
uninstall.log, respectively, for status and troubleshooting information. The log files are saved in the folder
where you run the installer. This table describes the messages that may appear in the logs.

Log Message Description

Installation successful. Installation is complete.
Uninstallation successful. Uninstallation is complete.
Installation unsuccessful. The installation was interrupted.
Invalid configuration parameters. Installation The input file contains unexpected values for one or more
unsuccessful. configuration fields.
Missing required configuration parameters. The input file does not contain values for one or more
Installation unsuccessful. required install parameters.
Agent must be unregistered with Microsoft AD FS. The agent cannot be uninstalled because it is currently
Uninstallation unsuccessful. registered with Microsoft AD FS.

Diagnose Authentication Issues

The following section contains details on issues you might encounter while using Authentication Agent for AD FS,
troubleshooting information, and descriptions of common error messages. For additional troubleshooting
information, sign into RSA Link at https://community.rsa.com.

Verify the Accuracy of the Computer Clock

If a user cannot authenticate, make sure the clock on the user’s computer or mobile device is accurate. If the
computer clock or device clock is not synchronized with the RSA Authentication Manager clock, the user may not be
able to authenticate.

Errors and Log Messages

Agent for AD FS displays user-facing errors and records administrator-facing logs and Microsoft Event Viewer
messages that can help you identify problems.

Agent Log Messages

The following table lists sample log messages that the agent records for common error scenarios.

Log Message Error Scenario

2018-04-27 04:41:01,784 [23] INFO
ServerManager - getServerUrl():
returning server: https://<youram-
url1>:5555/mfa/v1_1 Communication with an Authentication Manager instance is

2018-04-27 04:41:22,877 [23] INFO interrupted due to network connection problems. The agent

ConnectionHandler - Retry Count:4 attempts the configured number of connection retries, then
switches to the next configured replica instance.
2018-04-27 04:41:43,892 [23] INFO
ConnectionHandler - Retry Count:3

2018-04-27 04:42:04,892 [23] INFO

48 Chapter 5: Troubleshooting
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Log Message Error Scenario

ConnectionHandler - Retry Count:2

2018-04-27 04:42:25,891 [23] INFO

ConnectionHandler - Retry Count:1

2018-04-27 04:42:46,891 [23] INFO

ServerManager - Marking this server state
to DOWN: https://<youram-
url1>:5555/mfa/v1_1

2018-04-27 04:42:46,891 [23] INFO

ConnectionHandler - Failover to next URL.

2018-04-27 04:42:46,891 [23] INFO

ServerManager - getServerUrl():
returning server: https://<youram-
url2>:5555/mfa/v1_1
2018-04-27 05:06:47,373 [20] ERROR
AuthnRequestService - MFA Response is
empty. Returning Null
A connection failure occurs during authentication.
2018-04-27 05:06:47,373 [20] INFO
AuthnAdapter - Authentication step
completed.
2018-05-10 02:47:24,969 [18] ERROR
The agent cannot connect to the Cloud Authentication Service or any
ConnectionHandler - No Servers Available
Authentication Manager instance.
for Authentication.
Error in Server certificate validation: A
certificate chain processed, but A problem occurs while validating the server certificate due to
terminated in a root certificate which is incorrect certificate chain.
not trusted by the trust provider.
Error in Server certificate validation:
Trusted certificates cannot be found.
Certificate Not Available
Error in Server certificate validation: The common name to which an SSL certificate is issued does not
Certificate Name Mismatch match the name of the server URL.

User-Facing Error Messages

The following table lists error messages that the agent displays to users for common error scenarios.

Error Message Error Scenario

Authentication timed out.
No user activity is registered on the authentication page for more than 180
Try again or contact your
seconds. A 'Retry' button is provided to re-initialize the authentication.
administrator.
The only methods available in the access policy for the agent are either not
No supported authentication
supported by the agent, or cannot be completed by the user. For example, the
methods found. Contact
FIDO authentication method, or the SMS and Voice methods when no phone
your administrator.
number is available for the user.
Cannot authenticate.
One of the following is true:
Contact your administrator.

Chapter 5: Troubleshooting 49
RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Error Message Error Scenario

l User is present in Active Directory but not in the identity source
configured for the Cloud Authentication Service or Authentication
Manager.
l The access policy configured for the agent does not match an access
policy configured in the Cloud Authentication Service.
You must install and
register the RSA SecurID All methods available in the access policy for the agent require the RSA SecurID
Authenticate app to Authenticate app, but the user has not registered a device with the app.
complete authentication.
One of the following is true:

l The user provided invalid credentials.

Unsuccessful l The user attempted to cancel and retry an Approve or Device Biometrics

authentication. Try again. authentication multiple times in rapid succession, causing messages to
arrive out of sequence.
l A corrupted message chain error occurred during authentication with any
method.

Event Viewer Messages

The following table lists sample messages that the agent records in Microsoft Event Viewer for common error
scenarios.

Event Viewer Message Error Scenario

Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party: The agent configuration file

C:\Program Files\RSA\RSA
http://server.domain.com/AD FS/services/trust
Authentication Agent\AD FS
Exception details: MFA
System.PlatformNotSupportedException: Operation is not supported on this Adapter\config\mfaconfig.js
platform. on is either missing or corrupt.

at RSA.Authentication.FederationServices.AuthnAdapter.BeginAuthentication Do the following:

(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext Copy and rename the backup file
context) mfaconfig.json.bkp to
at mfaconfig.json, then restart
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthentication the AD FS service.
Handler.BeginAuthentication(Claim identityClaim, HttpListenerRequest
request, IAuthenticationContext authContext)

at
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthentication
Handler.Process(ProtocolContext context)

50 Chapter 5: Troubleshooting
 RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide

Event Viewer Message Error Scenario

at
Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.
Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext
(WrappedHttpListenerContext context)
Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party:

http://server.domain.com/AD FS/services/trust

Exception details:

Microsoft.IdentityServer.RequestFailedException: No strong authentication

method found for the request from
http://server2012r2.agentdomaintest.com/AD FS/services/trust. The agent is not registered with
Microsoft AD FS. For instructions
at
to register the agent, see
Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.E
Register or Unregister the Agent
valuatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage,
with Microsoft AD FS on page 30.
Boolean& strongAuthRequried)

at
Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromA
uthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext
protocolContext)

at
Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMeth
ods(PassiveProtocolHandler protocolHandler, ProtocolContext
protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext
(WrappedHttpListenerContext context)
Agent files are either missing or
An error occurred loading an authentication provider.
corrupt.
Fix configuration errors using PowerShell cmdlets and restart the Federation
Do the following:
Service.
1. Use the installer to repair
Identifier: SecurIDv2Authentication
the agent.
Context: Proxy TLS pipeline
2. Reconfigure settings
Additional Data using the Configuration
Utility.
Exception details:
3. Run
An error occurred initializing the 'SecurIDv2Authentication' authentication
MFAAuthProviderACLS
provider.
ettings.ps1.

Chapter 5: Troubleshooting 51