RSA MFA Agent 2.1.1 For Microsoft Windows Installation and Administration Guide

RSA® MFA Agent 2.1.
1 for Microsoft Windows

Installation and Administration Guide
RSA MFA Agent 2.1.1 for Microsoft Windows Installation and Administration Guide
RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and

provides solutions to known problems, product documentation, community discussions, and case management.
Trademarks
RSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its affiliates ("RSA").
For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks
are trademarks of their respective owners.
License Agreement
This software and the associated documentation are proprietary and confidential to RSA Security LLC or its
affiliates are furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation, and any
copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by RSA.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed on the product documentation page on RSA
Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export
of encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.
Distribution
Use, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in this
publication requires an applicable software license. RSA believes the information in this publication is accurate
as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
© 2007-2021 RSA Security LLC or its affiliates. All Rights Reserved.
June 2021
2
Contents
Preface 8
About This Guide 8
RSA MFA Agent for Microsoft Windows Documentation 8
Related Documentation 8
Support and Service 8
Before You Call Customer Support 9
Chapter 1: Product Overview 10
RSA MFA Agent for Microsoft Windows 11
Passwordless Authentication 11
Password Authentication 11
MFA Agent-Server Communication 11
Supported Authentication Methods for the MFA Agent for Microsoft Windows 12
Differences Between the Authentication Agent and MFA Agent for Windows 13
Key Features 14
Cloud Authentication Service Authentication Methods 15
RSA Authentication Manager Authentication Methods 15
Challenge Users with Passwordless Authentication and RSA SecurID Access Credentials 15
Multidomain Group Support 15
Offline Authentication 17
Offline Passwordless Authentication 17
Cloud Authentication Service Offline Authentication 17
RSA Authentication Manager Offline Authentication 19
Specify the User Name Format sent to the RSA Authentication Server 19
User Account Control Support 19
Co-Existence Support of RSA Windows Agents 19
Unlock with Windows Password Support 20
Configure Prompt for Windows Password Order During Authentication 20
Options to Customize RSA MFA Agent 20
Supported Authenticators for RSA Authentication Manager 21
Chapter 2: Preparing for Installation 23
3
System Requirements 24
Required Port 24
Computer Requirements 24
Supported Operating Systems 24
Supported FIDO2 Security Keys 24
Connectivity Requirements 24
Authentication Requirements 25
Cloud Authentication Service Requirements 25
RSA Authentication Manager Requirements 25
Supported Third-Party Remote Access Products 25
Remote Access Support 25
User Requirements 26
Preparations to Install MFA Agent 26
Set Up RSA SecurID Access Authentication 26
Set Up Cloud Authentication Service 26
Set Up RSA Authentication Manager 27
Import the Trusted Root Certificate for RSA Authentication Manager 28
Import a Trusted Root Certificate Using Microsoft Management Console 28
Import a Trusted Root Certificate Using a PowerShell Command Prompt 29
Create a Group of Users to Challenge with RSA SecurID Access Credentials 29
Prepare Users for RSA SecurID Access Authentication 30
Prepare Users for Cloud Authentication Service 30
Prepare Users for RSA Authentication Manager 30
Configure Passwordless Authentication 30
Create a Group of Users to Challenge with Passwordless Authentication 30
GPO Configuration Settings 31
Manage FIDO2 Security Keys 32
Prerequisites 32
Performance Considerations 32
Authentication Flow of Passwordless Authentication 33
Users' First Authentication 33
Authentication Flow 33
Users' Subsequent Authentications 33
4
Authentication Flow 33
Certificate Management 33
Revoke Smart Card Sign-In Certificate 34
Revoke Using Certificate Authority 34
Revoke Using Certutil Command 35
Renew Smart Card Sign-In Certificate 35
Set the Certificate Validity Period 35
User Authentication Flow 36
Chapter 3: Installing RSA MFA Agent 37
Installation Methods 38
Single Installations 38
Large-Scale Deployments 38
Installation Considerations 38
Install the Product on a Single Computer 38
Required Certificates for the Cloud Authentication Service 38
Required Certificates for RSA Authentication Manager 39
Challenging All Users Except Administrators 39
Passwordless Authentication (Primary Authentication) 39
RSA SecurID Access Credentials (Additional Authentication) 39
Install Using the Install Wizard 39
Install Using the Command-Line 40
Install the Product on Multiple Computers 40
Provide Account Control Privileges to User Computers 40
Deploy the Installation Package to Multiple Computers 40
Connect MFA Agent to RSA SecurID Access 41
Password Authentication 51
Test Authentication 55
Additional Authentication 56
Troubleshooting Test Authentication Tool Errors 57
Repair an Installation 60
Repair an Installation Using Programs and Features 60
5
Repair an Installation Using the Install Wizard 60
Repair an Installation Using the Command Line 61
Upgrade to RSA MFA Agent 2.1.1 for Microsoft Windows 61
Upgrade Using the Install Wizard 62
Upgrade Using the Silent Installation Command-Line Options 62
Migrate from RSA Authentication Agent 7.4.x for Microsoft Windows to RSA MFA Agent 2.1.1 for
Microsoft Windows 63
Comparing RSA Authentication and MFA Agents for Microsoft Windows 63
RSA Authentication Agent Features Not Available in RSA MFA Agent 63
RSA Authentication Agent Features Moved to GPO Settings in RSA MFA Agent 64
GPO Settings: Local Authentication and Other Settings in Both Agents 64
GPO Settings: Credential Provider Filter Settings in Both Agents 65
Migration of GPO Configuration Using the Migration Tool 66
Uninstall the Product 67
Uninstall the Product from a Single Computer using the Windows Control Panel 68
Uninstall the Product from a Single Computer using the Install Wizard 68
Uninstall the Product from Multiple Computers 68
Chapter 4: Managing MFA Agent 71
Manage Cloud Authentication Service Offline Days 72
Refresh Offline Days 72
Check the Supply of Offline Days 72
Offline Authentication Lockout 73
Manage RSA Authentication Manager Offline Days 73
Refresh Offline Days 74
Refresh When a Network Connection Exists 74
Refresh When No Network Connection Exists 74
Check the Supply of Offline Days 74
Set Up Offline Authentication for Remote RSA SecurID Access Users 75
Users Who Work Locally and Remotely 75
Different Remote Users Who Share a Computer 75
Emergency Access 76
Emergency Access after Losing FIDO2 Security Key 76
Register and Authenticate with New FIDO2 Security Key 76
Steps to Register New FIDO2 Security Key with Passwordless Authentication 76
6
Emergency Access at Additional Authentication 77
Offline Cloud Authentication Service Users 77
Online Cloud Authentication Service Users 77
Offline RSA Authentication Manager Users 78
Online RSA Authentication Manager Users 79
Offline Emergency Access Supported by RSA Authentication Manager 80
Reserve Password 81
Load Balancing Configuration Settings 83
Streamlined Authentication for Remote Applications 83
Language Support 84
Chapter 5: Troubleshooting 85
Issues and Resolutions 86
Logs 88
Windows Event Messages Written by the MFA Agent 89
Enable Tracing 89
View MFA Agent Version and Build 90
7
Preface
About This Guide
®
This guide describes how to install and configure RSA MFA Agent 2.1.1 for Microsoft Windows. It is intended
for administrators and other trusted personnel.
RSA MFA Agent for Microsoft Windows Documentation
For more information about RSA MFA Agent 2.1.1 for Microsoft Windows, see the following documentation:
Release Notes. Describes information what is new and changed in this release, as well as workarounds for
known issues.
Installation and Administration Guide. Describes how to install and configure RSA MFA Agent 2.1.1 for
Microsoft Windows.
Group Policy Object Template Guide. Describes how to use Group Policy Object templates to configure RSA
MFA Agent 2.1.1 for Microsoft Windows.
The latest version of all documentation is available on RSA Link at

https://community.rsa.com/community/products/securid/mfa-agent-windows/.
Related Documentation
For more information about products related to RSA MFA Agent 2.1.1 for Microsoft Windows, see the following:
l RSA Authentication Manager documentation set. See RSA Authentication Manager 8.5
Documentation on RSA Link.
l Cloud Authentication Service documentation set. See Cloud Authentication Service

Documentation on RSA Link.
l RSA Ready Partner Program. RSA works with a number of manufacturers to qualify software that
works with RSA products. Qualified third-party products include virtual private network (VPN) and
remote access servers (RAS), routers, web servers, and many more. To access the directory, including
implementation guides and other information, go to www.rsaready.com.
Support and Service
You can access community and support information on RSA Link at https://community.rsa.com. RSA Link
contains a knowledgebase that answers common questions and provides solutions to known problems, product
documentation, community discussions, and case management.
The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware
and software products that have been certified to work with RSA products. The website includes
8 Preface
Implementation Guides with step-by-step instructions and other information on how RSA products work with
third-party products.
Before You Call Customer Support

Make sure that you have direct access to the computer running RSA MFA Agent 2.1.1 for Microsoft Windows.
Please have the following information available when you call:
l When you use the Cloud Authentication Service, RSA provides you with a unique identifier, called the
Customer Support ID, which is required when you register with RSA Customer Support. To see your
Customer Support ID, sign in to the Cloud Administration Console and click My Account > Company
Settings.
l If you use RSA Authentication Manager, your Authentication Manager software version number is your
RSA Customer/License ID.
To find this number, do the following:
In the RSA Security Console, click Help > About RSA Security Console > See Software Version
Information.
l The make and model of the machine on which the problem occurs.
l The name and version of the operating system.
Preface 9
Chapter 1: Product Overview
RSA MFA Agent for Microsoft Windows 11
Supported Authentication Methods for the MFA Agent for Microsoft Windows 12
Differences Between the Authentication Agent and MFA Agent for Windows 13
Key Features 14
Supported Authenticators for RSA Authentication Manager 21
10 Chapter 1: Product Overview

RSA MFA Agent for Microsoft Windows
RSA MFA Agent 2.1.1 for Microsoft Windows works with the RSA SecurID Access to help secure sign-in to users'
Windows computers. You can configure the MFA Agent to challenge users either with or without passwords.
Passwordless Authentication
Users can sign in to their computers without using a password. The MFA Agent uses Active Directory
certificates to secure passwordless authentication. Users need a registered FIDO2 security key and an Active
Directory password for the first authentication. Subsequent authentications require only a registered FIDO2
security key. The MFA Agent creates a Microsoft Virtual Smart Card and enrolls it with a sign-in certificate to
achieve passwordless authentication. Users can also perform additional authentication when accessing
Windows computers and User Account Control.
Password Authentication
Users can sign in to their computers with Windows password and additional authentication. A user enters the
username and password and then can be prompted for additional authentication, for example, by approving a
request in the RSA SecurID Authenticate app.
MFA Agent-Server Communication

When users try to sign into or unlock their Windows computers, the MFA Agent communicates with either Cloud
Authentication Service or RSA Authentication Manager to manage authentication. The following graphics show
possible deployments.
The MFA Agent can connect directly to the Cloud Authentication Service or RSA Authentication Manager 8.5.
When the MFA Agent connects to Authentication Manager, an Authentication Manager administrator can choose
to configure Authentication Manager as a secure proxy server that sends authentication requests to the Cloud
Authentication Service. For example, Authentication Manager would validate RSA SecurID passcode, and the
Cloud Authentication Service would validate Approve, Authenticate Tokencode, and Device Biometrics.
Note: The MFA Agent does not support passwordless authentication when it connects to Authentication
Manager or when Authentication Manager acts as a proxy server to the Cloud Authentication Service.

Supported Authentication Methods for the MFA Agent for Microsoft

Windows
Scenario Authentication Methods

FIDO
Users can insert the registered FIDO2-certified USB security key, enter the PIN,
Passwordless authentication
and tap the security key.
For more information, see Configure Passwordless Authentication on page 30.

The following authentication methods are supported:
l Approve
l Device Biometrics
l Authenticate Tokencode
l RSA SecurID Token
MFA Agent connects to the
l SMS Tokencode
Cloud Authentication Service
l Voice Tokencode
l Emergency Tokencode
The combination options (for example, RSA SecurID Token and Approve) are not
supported. For more information on authentication methods, see Authentication
Methods for Cloud Authentication Service Users.
You can use any authentication method supported by Authentication Manager,
for example, RSA SecurID hardware and software tokens and on-demand
MFA Agent connects to RSA authentication.
Authentication Manager
Note: The MFA Agent does not support passwordless authentication when it
connects to Authentication Manager.
If a Cloud Authentication Service access policy is defined for the MFA Agent:
l Cloud Authentication Service methods are supported.

l Users are prompted for Authenticate Tokencode if the Cloud
Authentication Service or the connection between Authentication
MFA Agent connects to Manager and the Cloud Authentication Service is temporarily unavailable
Authentication Manager, and or too slow.
Authentication Manager acts
If a Cloud Authentication Service access policy is not defined for the Agent, you
as a proxy server to the Cloud
can use any authentication method supported by Authentication Manager, for
Authentication Service
example, RSA SecurID hardware and software tokens and on-demand
authentication.
Note: The MFA Agent does not support passwordless authentication when

Authentication Manager acts as a proxy server to the Cloud Authentication
Service.
If a user's computer is not connected to the network, the Agent verifies the
Offline authentication user's authentication information against the offline data stored on the user’s
computer. If the user’s authentication information is correct, the user gains

Scenario Authentication Methods

access to the protected computer.
Passwordless authentication users can authenticate offline using their FIDO2

security key. By default, passwordless authentication users are not challenged
with additional authentication.
Cloud Authentication Service users can authenticate offline with one of the
following methods:
l RSA SecurID Token (SID700 hardware token managed in Cloud

Authentication Service)
Authentication Manager users can authenticate offline with emergency access

methods that are configured in Authentication Manager.
For more information, see Offline Authentication on page 17.

You can provide emergency access for passwordless authentication users who
do not have the registered FIDO2 security key. If configured, users can click
Sign in with other options and use Windows password and additional
authentication.
You can provide emergency access for Cloud Authentication Service and
Emergency Access
Authentication Manager users who cannot use their preferred authentication
methods. For example, RSA SecurID users may have forget their PINs or lost
their RSA SecurID tokens and RSA SecurID Authenticate users may have lost
their registered authenticators, or run out of offline days.
For more information, see Emergency Access on page 76.
Differences Between the Authentication Agent and MFA Agent for

Windows
If you are currently using the RSA Authentication Agent for Microsoft Windows and are now also using the
RSA MFA Agent for Microsoft Windows, review the following table to understand the key differences between the
two agents. Although both agents help protect Windows sign-in, they provide different functionality in some
cases.
The MFA Agent and Authentication Agent can exist in the same deployment and be installed on the same
computer. For more information about using both agents, see "Understanding Co-Existence of RSA Windows
Agents" in the Group Policy Object Template Guide.
Concept Authentication Agent MFA Agent

RSA SecurID Access Cloud
RSA SecurID Access component Authentication Service
RSA Authentication Manager
used for authentication
RSA Authentication Manager
l Passwordless authentication
Available authentication methods RSA SecurID passcode
(with FIDO2-certified security

Concept Authentication Agent MFA Agent

key)
l Approve, Device Biometrics,
and Authenticate Tokencode,
available in the RSA SecurID
Authenticate app
l RSA SecurID passcode
(generated by RSA SecurID
Token)
l SMS Tokencode
l Voice Tokencode
Cloud Authentication Service access
policy
RSA SecurID Access Challenge Group

Managing user access Challenge groups GPO policy
RSA SecurID Access Primary

Authentication Challenge Group GPO
policy
Configure to prompt for a password
before or after RSA authentication, with
the Prompt for Password After
Always prompted for a password Multifactor Authentication GPO policy.
Configure password order
after RSA authentication
Ignore Prompt for Password After
Multifactor Authentication GPO policy
for passwordless authentication.
Managing the agent, for example,
Control Center RSA MFA Agent Test Authentication tool
test authentication
Key Features
The following sections summarize the key features of RSA MFA Agent.
l Passwordless Authentication on the facing page

l Cloud Authentication Service Authentication Methods on the facing page
l RSA Authentication Manager Authentication Methods on the facing page
l Challenge Users with Passwordless Authentication and RSA SecurID Access Credentials on the facing
page
l Offline Authentication on page 17
l Specify the User Name Format sent to the RSA Authentication Server on page 19
l User Account Control Support on page 19
l Co-Existence Support of RSA Windows Agents on page 19
l Unlock with Windows Password Support on page 20

l Configure Prompt for Windows Password Order During Authentication on page 20

l Options to Customize RSA MFA Agent on page 20
Users can sign in to their computers without using a password. Users need a registered FIDO2 security key and
an Active Directory password for the first authentication. Subsequent authentications require only a registered
FIDO2 security key. For more information, see Configure Passwordless Authentication on page 30.
Cloud Authentication Service Authentication Methods

The MFA Agent connects to your existing Cloud Authentication Service deployment and supports the Approve,
Device Biometrics, Authenticate Tokencode, SecurID Token, SMS Tokencode, Voice Tokencode, and Emergency
Tokencode authentication methods. The combination options (for example, SecurID Token and Approve) are not
supported.
Note: FIDO is supported for primary authentication and not supported for additional authentication.
RSA Authentication Manager Authentication Methods

The MFA Agent connects to your RSA Authentication Manager deployment using the REST protocol. You can use
any authentication method supported by Authentication Manager. The Agent supports up to 15 Authentication
Manager replica instances.
Challenge Users with Passwordless Authentication and RSA SecurID Access

Credentials
You can configure RSA MFA Agent to challenge all users or a specific group of users for the following:
l Passwordless authentication (primary authentication)

l RSA SecurID Access credentials (additional authentication)
You select a user group to challenge from a list that you already defined through the Microsoft Computer
Management interface or in Active Directory. If necessary, create a new group before using the Agent. For more
information about creating a challenge group, see:
l Create a Group of Users to Challenge with Passwordless Authentication on page 30

l Create a Group of Users to Challenge with RSA SecurID Access Credentials on page 29
Multidomain Group Support
When you select a Windows group as an RSA MFA Agent challenge group using the GPO Policy templates, all
users in the group are challenged. The Agent supports all Windows groups. For more information about setting
up a challenge group, see the Group Policy Object Template Guide.
Windows groups can be universal, global, and domain local. Windows also allows groups to be nested within
other groups. It is important to understand the possible combinations of groups, so that when you challenge or
exclude a group from a challenge, you get the results that you expect.
These guidelines determine which users are challenged with the following.
l Users in a Windows group are challenged with FIDO credentials when the Windows group is in a
challenge group.

l Users in a Windows group are challenged with Windows password and additional authentication when
the Windows group is in an excluded challenge group.
RSA SecurID Access Credentials
the Windows group is in a challenge group.
l Users in a Windows group are challenged with Windows password but not challenged with additional
authentication when the Windows group is in an excluded challenge group.
The following tables show examples of different combinations of domains and groups. In the tables:
l D = Domain, for example D1 is domain 1 and D2 is domain 2.

l U = Universal group, for example, U3D1 is universal group 3 in domain 1.
l G = Global group, for example, G2D1 is global group 2 in domain 1.
l L = Domain local group, for example, L1D1 is domain local group 1 in domain 1.
The following table lists an example of a multidomain environment that has two domains and different types of
groups. All of the users and groups are in the same forest. The Agent cannot determine the membership of a
user if the user or group is in a different forest.
Example of Groups and Member in a Multidomain Environment

Type of Group Description Member
Universal Groups
U1D1 Universal Group 1 in Domain 1 User 1 (who is in Domain 1)
U3D1 Universal Group 3 in Domain 1 U1D1 G1D1 G3D1
Global Groups
G1D1 Global Group 1 in Domain 1 User 3 (who is in Domain 1)
G3D1 Global Group 3 in Domain 1 G2D1
Domain Local Groups
User 5 (who is in Domain 1)
L1D1 Domain Local Group 1 in Domain 1
L2D1 Domain Local Group 2 in Domain 1 U3D1
L3D1 Domain Local Group 3 in Domain 1 G1D1 G3D1
The following table shows the users who are challenged or excluded from it depending on what group you
selected in the previous table.
Challenge or Exclude Group Settings

Group Setting Users Challenged or Excluded
U1D1 User 1
U3D1 User 1, User 3, User 4
G1D1 User 3
G3D1 User 4
L1D1 User 5, User 6


L2D1 User 1, User 3, User 4
L3D1 User 3, User 4
The following tables show an example of how a universal group can include users from a different domain, but
only users in the universal group's domain are included in the challenge group.
Universal group 3 in domain 1 (U3D1) has been updated to include universal group 2 in domain 2 (U2D2).

Universal Groups
U3D1 Universal Group 3 in Domain 1 U1D1 U2D2 G1D1 G3D1
Even though U3D1 includes universal group 2 of domain 2, which includes user 2, who is a domain 2 user, only
the domain 1 users are part of the challenge group.

Challenge or Excluded Group Settings
U3D1 User 1, User 3, User 4 User 2 will not behave as the others
L2D1 User 1, User 3, User 4 User 2 will not behave as the others
Offline Authentication
Offline authentication extends RSA SecurID Access authentication to users when the connection to RSA SecurID
Access is not available, for example, when users' computers are not connected to the Internet.
When a user authenticates offline, the Agent verifies the user’s authentication information against the offline
data stored on the user’s computer. If the user’s authentication information is correct, the user gains access to
the protected computer.
Offline authentication is available for both RSA Authentication Manager and Cloud Authentication Service users.
Offline Passwordless Authentication
If the MFA Agent is configured with passwordless authentication, users can authenticate offline using their
FIDO2 security key. By default, passwordless authentication users are not challenged with additional offline
authentication. You can challenge users with the one of the following additional offline authentication methods:
l RSA SecurID Token (SID700 hardware token managed in Cloud Authentication Service)

To challenge users with additional authentication after successful offline primary authentication, enable the GPO
setting "Enable additional authentication when Cloud Authentication Service is unavailable".
Cloud Authentication Service Offline Authentication
Offline authentication is available for all MFA Agent users with registered RSA SecurID Authenticate devices. You
can turn offline authentication on or off with the GPO setting "Enable offline authentication."
The first time that a user authenticates online, the MFA Agent downloads 14 days plus the current day of offline
data (also called offline days) to the computer. This allows the Agent user to authenticate offline. You can
configure the number of offline days downloaded with the GPO setting "Specify number of offline days."
If offline Emergency Tokencode is enabled in the Cloud Authentication Service, the Agent downloads an Offline

Emergency file after a successful online authentication with any method other than online Emergency
Tokencode.
Online Authentication Methods Downloads Offline Days for

l Approve
l Device Biometrics l Authenticate Tokencode
l RSA SecurID Token (hardware and software l Emergency Tokencode (if offline Emergency
tokens managed in Authentication Tokencode is enabled in the Cloud Authentication
Manager) Service)
l SMS Tokencode
l Voice Tokencode
l RSA SecurID Token (SID700 hardware token

managed in Cloud Authentication Service)
RSA SecurID Token (SID700 hardware token
l Emergency Tokencode (if offline Emergency
managed in Cloud Authentication Service)
Tokencode is enabled in the Cloud Authentication
Service)
Emergency Tokencode No offline days are downloaded.
Users can perform offline authentication with one of the following authentication methods:
l RSA SecurID Token (SID700 hardware token managed in Cloud Authentication Service)

The authentication methods available for offline authentication depend on which method the user last completed
successfully while online. For example, if the user last completed online authentication with RSA SecurID Token
(SID700 hardware token managed in the Cloud Authentication Service), then that method will be available for
offline authentication. If the user last completed online authentication with a method other than the SID700
hardware token (managed in the Cloud Authentication Service) or Emergency Tokencode, then Authenticate
Tokencode will be available for offline authentication.
Note: If the PIN for the RSA SecurID Token (SID700 hardware token managed in Cloud Authentication Service)
is reset, then users must authenticate online with the new PIN before using the new PIN for offline
authentication.
Offline authentication works independently of the Cloud Authentication Service access policy. You do not need to
specify RSA SecurID Token or Authenticate Tokencode as an available authentication method in the access policy
for offline authentication to work. However, to use Emergency Tokencode, you need to specify Emergency
Tokencode as an available authentication method in the access policy.
When a user authenticates offline, MFA Agent verifies the user’s authentication information against the offline
data stored on the user’s computer. If the user’s authentication information is correct, the user gains access to
the protected computer.
Offline data is stored in the following location:
C:\ProgramData\RSA\OfflineData
You cannot change this directory.
For information about managing offline days, see Manage Cloud Authentication Service Offline Days on page 72.

When a user or administrator deletes a company or RSA SecurID Authenticate registered device for a user, the
offline days for the deleted companies are removed from the Windows computer after the user completes online
authentication.
Note: Users' computers must be synchronized with Internet time for offline authentication to work. Offline
authentication uses UTC time, so changes to time zones on computers do not affect offline authentication.
RSA Authentication Manager Offline Authentication
Offline authentication is available for all MFA Agent users who access RSA Authentication Manager. You can turn
offline authentication on or off with the GPO setting "Enable offline authentication."
When a user authenticates online with any authentication method supported by RSA Authentication Manager,
the MFA Agent downloads current day offline data plus the configured number of days in the Authentication
Manager offline authentication policy assigned to the user. The GPO setting "Specify number of offline days" is
not used when the agent is connected to Authentication Manager.
By default, offline data is stored in the following location:
C:\ProgramData\RSA\OfflineData
You cannot change this directory.
For information about managing offline days, see Manage RSA Authentication Manager Offline Days on page 73.
Note: Users' computers must be synchronized with Internet time for offline authentication to work. Offline
authentication uses UTC time, so changes to time zones on computers do not affect offline authentication.
Specify the User Name Format sent to the RSA Authentication Server
You can specify the format of the user name that the Agent sends to the RSA authentication server
(RSA Authentication Manager or the Cloud Authentication Service) during an authentication. You enable this
policy if the user accounts on the RSA authentication server use a name format other than a user’s
sAMAccountName.
This policy applies to all authentications sent to the RSA authentication server for either RSA Authentication
Manager or the Cloud Authentication Service.
User Account Control Support

When a standard user tries to make a system-level change to the computer that requires administrative
credentials, Windows presents the User Account Control (UAC) screens. During the UAC process, the Agent
prompts the user for passwordless authentication or for Windows password and additional authentication
based on the configuration.
Also, when a user tries to open an application using "Run as different user," the Agent prompts the user for
passwordless authentication or for Windows password and additional authentication based on the
configuration.
Co-Existence Support of RSA Windows Agents

You can install the RSA Authentication Agent 7.4.4 for Microsoft Windows and RSA MFA Agent 2.1.1 for
Microsoft Windows on the same computer. To limit user confusion with the authentication process, RSA
recommends only displaying one Agent credential provider tile at a time on users' computers.
For more information, see Comparing RSA Authentication and MFA Agents for Microsoft Windows on page 63.

Unlock with Windows Password Support

Users can be allowed to unlock their computers with only a Windows password during a time-out period. The
time-out period starts when a user completes RSA SecurID Access authentication.
You can specify the number of times users can enter incorrect passwords before they are prompted for RSA
SecurID Access authentication and the number of minutes during which users can unlock their computers by
entering Windows passwords. You configure these values with the GPO setting "Unlock with Windows
Password." For more information, see the Group Policy Object Template Guide.
Note: Unlock with Windows password support is not applicable for passwordless authentication.
Configure Prompt for Windows Password Order During Authentication

You can specify if the Agent prompts users for a Windows password after successful multifactor authentication,
instead of prompting before multifactor authentication. With either order, users are required to successfully
authenticate with both their Windows password and an additional authentication method.
This setting can be used with the Cloud Authentication Service or RSA Authentication Manager. This setting
applies whenever the Agent prompts for multifactor authentication, for example, in User Account Control
screens and when accessing remote desktop applications (if configured).
Note: Prompt for Windows password order during authentication is not applicable for passwordless
authentication. The GPO policy "Prompt for Password after Multifactor Authentication" is not supported for
Windows Server Core 2016 and Windows Server Core 2019.
Options to Customize RSA MFA Agent

You can customize the RSA MFA Agent in the following ways:
l Specify RSA SecurID Access timeout.
l Collect system attributes (location and IP address) from a computer to be used in a Cloud Authentication
Service access policy.
l Disable RSA SecurID Access authentication for a user that does not exist in the Cloud Authentication
Service.
l Enable RSA SecurID Access authentication.
l Specify how long the Agent tries to collect location data before timing out.
l Set computers to unlock with Windows password.
l Enable offline authentication.
l Specify number of offline days to download (Cloud Authentication Service only)
l Specify when message displays to users about expiring offline days (Cloud Authentication Service only)
l Enable reserve password.
l Enable streamlined authentication from remote applications.
l Specify remote desktop applications that do not require RSA SecurID authentication.
l Hide or show RSA SecurID Access Credential Provider

l Specify custom tile image, text, and logo.
l Specify custom background image shown when collecting RSA SecurID Access credentials
l Configure Microsoft Password Prompt before or after RSA SecurID Access Authentication.
l Configure load balancing settings.
l Specify the user name format sent to the RSA authentication server.
For more information, see the Group Policy Object Template Guide.
Supported Authenticators for RSA Authentication Manager
RSA MFA Agent 2.1.1 for Microsoft Windows supports the following types of authenticators:
l RSA SecurID key fobs

l RSA SecurID standard cards
l RSA SecurID PINPads
l RSA SecurID software tokens
l RSA SecurID 800 Authenticator
Note: The RSA SecurID 800 Hybrid Authenticator (SecurID 800) can be used in disconnected mode
only.
l RSA on-demand tokencode

l Authenticate Tokencode (requires integration between the Cloud Authentication Service and RSA
Authentication Manager)
Note: You cannot use software authenticators that reside on the computer to sign into protected Windows
desktops. However, once you log on to the desktop using a different type of authenticator, you can use software
authenticators to log on to the network. You can use MFA Agent with a software authenticator installed on a
portable device, for example, a mobile phone. For more information on software authenticators, see the RSA
documentation that comes with your software authenticator.

Chapter 2: Preparing for Installation
System Requirements 24
Remote Access Support 25
User Requirements 26
Preparations to Install MFA Agent 26
Configure Passwordless Authentication 30

System Requirements
RSA MFA Agent 2.1.1 for Microsoft Windows has the following minimum system requirements:
l 35 MB of free disk space

l TCP/IP networking
Required Port
Port 443 (or a custom port specified in the Cloud Authentication Service Administration Console) must be
available for REST protocol communication between the MFA Agent and the Cloud Authentication Service.
Port 5555 (or a custom post specified in the Authentication Manager Security Console) must be available for
REST protocol communication between the Agent and Authentication Manager.
Computer Requirements
Supported Operating Systems
RSA MFA Agent 2.1.1 for Microsoft Windows is supported on the following operating systems:
l Windows 8.1, 32-bit and 64-bit

l Windows 10, 32-bit and 64-bit (build 1903 onwards)
l Windows Server 2012 R2
l Windows Server 2016
l Windows Server 2019
Passwordless Authentication is supported on Windows 10, 32-bit and 64-bit (build 1903 onwards).
The Agent also supports these operating systems when the security setting "System cryptography: Use FIPS
compliant algorithms for encryption, hashing, and signing" is enabled.
Note: Windows Server Core does not support HTML rendering or HTML Help. The MFA Agent Help link for
signing in does not work on Windows Server Core 2016 or 2019.
Supported FIDO2 Security Keys
RSA MFA Agent 2.1.1 for Microsoft Windows supports FIDO2-certified security keys. Following is the list of
FIDO2 security keys qualified with RSA MFA Agent 2.1.1 for Microsoft Windows:
l YubiKey 5 NFC (Yubico RSA co-branded USB A type key) - Firmware version 5.2.4
l BioPass FIDO2 (Feitian USB A type key) - Firmware version 1.0.1
l ATKey.Pro-01C003D6 (AuthenTrend USB A type key) – Firmware version 1.0.1
For more information on other FIDO2-certified security keys, go to www.rsaready.com.
Connectivity Requirements
The MFA Agent can connect directly to the Cloud Authentication Service or RSA Authentication Manager 8.5.
Depending on your deployment, do one of the following:
l Ensure that each Agent can connect to the Cloud Authentication Service. For connectivity and firewall
requirements, see the Quick Setup Guide for your RADIUS Clients, SAML Applications or Third-Party SSO
Solutions, or SSO Agent deployment. See Cloud Authentication Service Documentation on RSA Link.
24 Chapter 2: Preparing for Installation

l Ensure that each Agent can connect to RSA Authentication Manager. For setting up Authentication
Manager, see the RSA Authentication Manager 8.5 Documentation on RSA Link.
If your deployment uses RSA Authentication Manager as a proxy server, each Agent must be able to
connect to Authentication Manager, which sends authentication requests to the Cloud Authentication
Service. To establish the connection, see Connect RSA Authentication Manager to the Cloud
Authentication Service.
Authentication Requirements
Windows Hello is not supported as an authentication option with the MFA Agent.
By default, Windows Hello displays next to the RSA SecurID Access Credential Provider on the Windows sign-in
screen. To hide Windows Hello on the sign-in screen, enable the GPO setting "Exclude all Third Party Credential
Providers."
Cloud Authentication Service Requirements

You must have a Cloud Authentication Service deployment.
RSA Authentication Manager Requirements

RSA Authentication Manager 8.5 is required.
An Authentication Manager administrator can choose to configure Authentication Manager as a secure proxy
server that sends authentication requests to the Cloud Authentication Service. This option requires the Cloud
Authentication Service, and a connection between Authentication Manager and the Cloud Authentication Service.
Supported Third-Party Remote Access Products

RSA MFA Agent protects sign-ons on a remote computer through applications that support the Remote Desktop
Protocol (RDP), such as Microsoft Remote Desktop Connection.
Remote Access Support
RSA MFA Agent protects sign-ins on a remote computer through applications that support the Remote Desktop
Protocol (RDP), such as Microsoft Remote Desktop Connection. You can open one of these applications on your
local computer to sign into remote computers.
When MFA Agent is installed on your local computer, the process by which an RDP application connects to a
remote computer does not change. When you attempt to connect to a remote computer, you are prompted to
authenticate with Windows credentials. These credentials are used by the RDP application to satisfy Windows
Network Level Authentication (NLA) before establishing a connection to the remote computer.
When MFA Agent is installed on the remote computer, you may see a prompt to authenticate with RSA SecurID
credentials before you can access the remote desktop.
Whether you are prompted for RSA SecurID credentials depends on how MFA Agent is configured.
For more information on using Network Level Authentication, see the Microsoft web site.
Note: Passwordless authentication is not supported for remote access. You cannot use passwordless
authentication to sign into remote computers.

User Requirements
l To use FIDO, users must register the FIDO2-certified security key using RSA SecurID Access My Page.
See Manage My Page and Registration Using RSA SecurID Access My Page. For FIDO2-certified security
key requirements, see FIDO Authenticator Requirements.
l To use Approve, Device Biometrics, or Authenticate Tokencode, users must register the RSA SecurID
Authenticate app on a supported device. For a list of supported devices, see Cloud Authentication
Service User Requirements on RSA Link.
l To use RSA SecurID Token, RSA Authentication Manager is required, and users must have RSA SecurID
hardware or software tokens. If you are protecting cloud-based resources, the Cloud Authentication
Service is required.
l To use SMS Tokencode or Voice Tokencode, make sure each user has a phone number in the Cloud
Authentication Service. The RSA SecurID Authenticate app is not required for these authentication
methods.
l To use online or offline Emergency Tokencode, a Cloud Authentication Service help desk administrator
must provide the code to the user. For more information, see Emergency Access on page 76.
l To provide online or offline emergency access to resources protected by RSA Authentication Manager, an
Authentication Manager administrator must provide information to the users. Users can also use the
Self-Service Console to request temporary access to Authentication Manager without the assistance of an
administrator. For more information, see Emergency Access on page 76.
Preparations to Install MFA Agent
This section describes tasks you must perform before installing and configuring RSA MFA Agent 2.1.1 for
Microsoft Windows.
Set Up RSA SecurID Access Authentication

Before you install and configure MFA Agent, you must complete the following tasks depending upon whether
your deployment is connecting to the Cloud Authentication Service or RSA Authentication Manager.
Set Up Cloud Authentication Service
You or your Cloud Authentication Service administrator must complete these tasks:
l Users must be in an identity source synchronized to the Cloud Authentication Service.
l Create an access policy specifically for the MFA Agent. For more information, see Add an Access Policy on
RSA Link.
The following graphic explains how this access policy might be configured.

l If you want to use conditional authentication based on location or IP address, create trusted locations
and trusted networks and configure the access policy to use them. For more information, see Add a
Trusted Network and Add a Trusted Location on RSA Link.
l Obtain the REST Authentication URL for the Cloud Authentication Service. The REST Authentication
URL uses the following format:
https://<hostname>:<port>/
To obtain the <hostname>, in the Cloud Administration Console, go to Platform > Identity Routers.
For any identity router, click the Registration tab of the settings page. The Authentication Service
Domain field displays the <hostname>.
The default <port> is 443.
l Obtain the REST protocol RSA SecurID Authentication API Key for the Cloud Authentication Service. The
Agent sends this key to the RSA SecurID Authentication API to securely identify authentication requests.
For instructions, see Add an RSA SecurID Authentication API Key on RSA Link.
l If you want users to avoid additional authentication after successful FIDO primary authentication, make
sure to configure FIDO as the higher assurance level authentication method in the access policy than the
other method.
In the access policy, select an assurance level with at least one authentication method in addition to
FIDO. If a user does not have FIDO2 security key, the user can select another method.
Set Up RSA Authentication Manager
Before you install and configure the MFA Agent, you or your RSA Authentication Manager administrator must
complete these tasks:
l If you have not already done so, install RSA Authentication Manager 8.5. For instructions, see the
RSA Authentication Manager 8.5 Setup and Configuration Guide.
l (Optional) If you are using RSA Authentication Manager as a proxy server for the Cloud Authentication
Service, complete the integration between the Cloud Authentication Service and RSA Authentication
Manager. For more information, see Integrating RSA Authentication Manager with the Cloud

Authentication Service.
l Create one or more authentication agent records in Authentication Manager. For REST protocol
authentication agents, one authentication agent record can represent more than one installed agent. For
more information, see RSA Authentication Agents.
l Import the trusted root CA certificate from RSA Authentication Manager. For instructions, see Import the
Trusted Root Certificate for RSA Authentication Manager below.
l Obtain the REST Authentication URL for the Authentication Manager primary instance. The
REST Authentication URL uses the following format:
https://<hostname>:<port>/
To obtain the <hostname>, in the Authentication Manager Operations Console, go to Administration >
Network > Appliance Network Settings. The Fully Qualified Domain Name field displays the
<hostname>.
The default <port> is 5555.
l (Optional) Obtain the REST Authentication URL for any Authentication Manager replica instances you
plan to connect to the agent.
l Obtain the REST protocol RSA SecurID Access Authentication API Key for Authentication Manager, also
known as the Access Key. The Agent sends this key to the RSA SecurID Authentication API to securely
identify authentication requests. For instructions, see Configure the RSA SecurID Authentication API for
Authentication Agents.
Import the Trusted Root Certificate for RSA Authentication Manager

Before installing the MFA Agent, you must import the trusted root CA certificate from RSA Authentication
Manager.
Perform this procedure on each computer where the Agent will be installed to authenticate to Authentication
Manager.
Before you begin
Obtain the trusted root CA certificate from your Authentication Manager administrator and copy it to a location
on the computer where you will install the agent.
For instructions, see the knowledgebase article How to export RSA SecurID Access Authentication Manager,
Identity Router, or Cloud Authentication Service Root Certificates.
Import a Trusted Root Certificate Using Microsoft Management Console
Procedure
1. Sign into the computer where you will install the agent.
2. Run mmc.exe to open the Microsoft Management Console.
3. Click File > Add/Remove Snap-In.
4. Double-click Certificates.
5. Select Computer Account, and click Next.
6. Select Local Computer, and click Finish.

7. Click OK.
8. Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities >
Certificates.
9. Right-click Certificates and select All Tasks > Import.
10. Click Next.
11. Click Browse, then select the certificate you would like to import and click Open.
12. Click Next.
13. Select Place all certificates in the following store.
14. Click Browse, then select Trusted Root Certification Authorities and click OK.
15. Click Next.
16. Click Finish & OK.
Import a Trusted Root Certificate Using a PowerShell Command Prompt
Procedure
1. Sign into the computer where you will install the agent.
2. Open a PowerShell command prompt in Administrator mode.
3. Enter the following commands to import the certificate:
IMPORT-MODULE PKI
SET-LOCATION CERT:
Get-ChildItem –Path <c:\CertDirectory\mycert.cer> | Import-

Certificate –CertStoreLocation cert:\LocalMachine\Root
where <c:\CertDirectory\mycert.cer> is the full file path of the certificate.
Create a Group of Users to Challenge with RSA SecurID Access Credentials

You control access to resources protected by RSA MFA Agent 2.1.1 for Microsoft Windows by specifying which
users to challenge for RSA SecurID Access credentials. You can configure the Agent to challenge:
l A group of users
l All users except a certain group of users
l Users except all local users (Challenge only domain users)
The Agent can use a Windows group to control access to resources. The group can be a default Windows group
or a group that you create using the Windows Computer Management interface or Active Directory. If you want
to use a group other than one of the Windows default groups, you need to create the group before you configure
the Agent. Confirm that any groups that you create are recognized by Active Directory as a group and can be
queried. For detailed instructions on creating groups, see your Microsoft Windows documentation.
You can allow the Agent to retrieve the user's challenge setting from a local cache, if the agent cannot determine
the user's group membership from the domain controller.
If Agent cannot find the user's challenge setting in the cache, then you can set one of the following:
l Challenge the user

l Do not challenge the user (allow Windows password)

You can apply challenge settings with the GPO setting "RSA SecurID Access Challenge Group" and determine
how the Agent treats users whose group membership cannot be determined with the GPO setting "Cache
Challenge Settings."
To not challenge any users, disable or do not configure the GPO setting "Enable RSA SecurID Access
authentication."
To challenge all users, enable the GPO setting "Enable RSA SecurID Access authentication" and disable or do not
configure the GPO setting "RSA SecurID Access Challenge Group."
Prepare Users for RSA SecurID Access Authentication

Before you deploy the MFA Agent, you should provide information to your users about the available
authentication and emergency access methods.
Prepare Users for Cloud Authentication Service
Make sure that your users understand how to use the Cloud Authentication Service authentication methods. For
more information, see Cloud Authentication Service Rollout to Users on RSA Link.
You can provide emergency access for users who cannot use their preferred authentication method, for
example, if they lost their registered device or have too many failed authentication attempts. Be sure to inform
your users about the available emergency access options. For more information, see Emergency Access on
page 76.
Prepare Users for RSA Authentication Manager
Provide authentication instructions to users. For more information, see the documentation that comes with your
authenticator.
You can provide emergency access for users who cannot use their preferred authentication method, for
example, if they lost their RSA SecurID Tokens or have too many failed authentication attempts. Be sure to
inform your users about the available emergency access options. For more information, see Emergency Access
on page 76.
Configure Passwordless Authentication
Users can sign in to their computers without using a password. RSA MFA Agent uses Active Directory
certificates to secure passwordless authentication. Users need a registered FIDO2-certified security key and an
Active Directory password for the first authentication. Subsequent authentications require only a registered
FIDO2-certified security key. RSA MFA Agent creates a Microsoft Virtual Smart Card and enrolls it with a sign-in
certificate to achieve passwordless authentication.
Note: Passwordless authentication is applicable only for domain users.
Create a Group of Users to Challenge with Passwordless Authentication

You control access to resources protected by RSA MFA Agent 2.1.1 for Microsoft Windows by specifying which
users to challenge for passwordless authentication. You can configure the Agent to challenge:
l A group of users
l All users except a certain group of users
l Include only domain users; exclude local users

The Agent can use a Windows group to control access to resources. The group can be a default Windows group
or a group that you create using the Windows Computer Management interface or Active Directory. If you want
to use a group other than a Windows default group, you must create the group before you configure the Agent.
Confirm that any groups that you create are recognized by Active Directory as a group and can be queried. For
instructions on creating groups, see your Microsoft Windows documentation.
If the agent cannot determine the user's group membership from the domain controller, you can allow the Agent
to retrieve the user's challenge setting from a local cache.
If the Agent cannot find the user's challenge setting in the cache, then you can challenge the user with one of
the following:
l Passwordless authentication
l Windows password and additional authentication
You can configure challenge settings with the GPO RSA SecurID Access Primary Authentication
Challenge Group and determine how the Agent treats users whose group membership cannot be determined
with the GPO RSA SecurID Access Primary Authentication Challenge Settings. For more information,
see the Group Policy Object Template Guide.
GPO Configuration Settings

Configure the following GPOs to allow passwordless authentication. For more information on the following GPOs,
see RSA MFA Agent for Microsoft Windows Group Policy Object Template Guide on RSA Link.
l Configure Primary Authentication

l Specify the Active Directory CA Name
l Specify the Active Directory CA Hostname
l Specify the Certificate Template
l Specify the Certificate Key Length
l Specify the Certificate Subject
l Specify the FIDO Relying Party ID
l Specify the FIDO Custom Help Text for Registration
l Specify the FIDO Custom Help Text to Set the Security Key PIN
l Specify the FIDO Custom Help Text to Reset the Blocked Security Key
l Specify the FIDO Custom Help Text for Invalid Credentials
l Specify the FIDO Custom Help Text When Passwordless Authentication Cannot be Configured
l Specify the FIDO Custom Help Text for Registration of Passwordless Authentication
l Signing In with Windows Password When Passwordless Authentication is Not Supported
l Signing In with Windows Password When Passwordless Authentication is Unavailable
l Enable Additional Authentication When Cloud Authentication Service is Unavailable
l RSA SecurID Access Primary Authentication Challenge Group
l RSA SecurID Access Primary Authentication Challenge Settings
If you configure passwordless authentication, the following GPOs are ignored and are not applicable:
l Prompt for Password After Multifactor Authentication

l Unlock with Windows Password
l Sign-on with Credentials from Remote Applications

Manage FIDO2 Security Keys

Users can manage their FIDO2 security keys using one of the following:
l RSA Security Key Utility. For more information, see Create or Change PIN.
l The key management utility provided by the security key manufacturer.
l Security key settings in Microsoft Windows Settings application. See Set up security key on
docs.microsoft.com.
l Google Chrome browser.
Prerequisites
The following requirements must be met before users perform passwordless authentication:
l Users must have Supported FIDO2 Security Keys on page 24. See Using RSA Security Key Utility.
l Users must set up the PIN for the FIDO2-certified security key. See Manage FIDO2 Security Keys above.
l Users must register their FIDO2-certified security key using RSA SecurID Access My Page. See Manage
My Page and Registration Using RSA SecurID Access My Page.
l Microsoft Windows computers where the RSA MFA Agent is installed must have Trusted Platform Module
(TPM) 2.0 chips.
l Users must have valid Active Directory passwords to successfully authenticate for the first time.
l You must not select the Smart card is required for interactive logon option in the Account tab of
the Active Directory user properties.
l You must deploy the Active Directory Certificate Authority on the same computer where Active Directory
is installed or on a different computer with a trusted connection to the Active Directory Domain
Controller. See To install Active Directory Certificate Services on docs.microsoft.com.
l You must install the Microsoft Windows Certificate Services in Enterprise mode. See step 11 of To install
Active Directory Certificate Services on docs.microsoft.com.
l You must create a Smartcard Logon certificate template. See Create the certificate template on
docs.microsoft.com.
n You must not select the CA certificate manager approval and the This number of
authorized signatures options in the Issuance Requirements of the Smartcard Logon
certificate template properties.
n You must not select the Autoenroll option in the Security tab of the Smartcard Logon certificate
template properties.
n Make sure to check the Read and Enroll permissions in the Security tab of the Smartcard Logon
certificate template properties.
n Make sure the Minimum key size of the Smartcard Logon certificate template Cryptography key
is 1024 or 2048.
Performance Considerations
Microsoft Windows connects up to 10 smart cards to one computer at a time, including both physical and virtual
smart cards. RSA MFA Agent creates one Microsoft Virtual Smart Card per user. RSA allows maximum of ten
users enabled with passwordless authentication per computer.
Note: The MFA Agent does not support passwordless authentication when Authentication Manager acts as a
proxy server to the Cloud Authentication Service.

Authentication Flow of Passwordless Authentication

This section describes the flow of passwordless authentication for users' first authentication and subsequent
authentications.
Users' First Authentication
When users sign in or unlock their computers for the first time, the RSA MFA Agent binds the FIDO2 security key
with the user's computer. The RSA MFA Agent creates a Microsoft Virtual Smart Card and provisions it with a
sign-in certificate for the user. Before the first passwordless authentication, users' computers must be
connected to the network and the prerequisites must be satisfied. See Prerequisites.
Authentication Flow
1. Users enter their Active Directory password in the passwordless credential provider.
2. Users insert their FIDO2 security key and enter a PIN.
3. RSA MFA Agent verifies with Cloud Authentication Service and prompts users with additional
authentication methods if required.
4. After successful authentication, RSA MFA Agent verifies and binds the FIDO2 security key with the user's
computer.
5. RSA MFA Agent creates Microsoft Virtual Smart Card.
6. RSA MFA Agent provisions the Microsoft Virtual Smart Card with a sign-in certificate from Active
Directory using the users' Active Directory password.
7. Users gain access to the computer.
Note: If the Active Directory password is expired, users are prompted to change their password. The old Active
Directory password appears in the Change Password window.
Users' Subsequent Authentications
After the first authentication, users do not have to enter passwords because the FIDO2 security key is bound to
the computer and the virtual smart card already exists. After the second authentication, users' computers may
or may not be connected to the network for the subsequent authentications.
Authentication Flow
2. RSA MFA Agent verifies credentials and prompts users with additional authentication methods if
required.
3. RSA MFA Agent verifies the authentication data and unlocks the local virtual smart card.
4. After successful authentication, RSA MFA Agent obtains the sign-in certificate.
5. RSA MFA Agent sends the sign-in certificate to Microsoft Windows on the users' computers.
6. Microsoft Windows validates the certificate and users gain access to the computer.
Note: If the Active Directory password is expired, users are prompted to change their password.
You can provide emergency access for users who have temporarily or permanently lost their FIDO2 security key.
For more information, see Emergency Access on page 76 .
Certificate Management
RSA MFA Agent creates a Microsoft Virtual Smart Card, enrolls it with a sign-in certificate, and uses smart card

to achieve passwordless authentication. This section describes how RSA MFA Agent manages smart card sign-in
certificate:
l Revoke Smart Card Sign-In Certificate below

l Renew Smart Card Sign-In Certificate on the facing page
l User Authentication Flow on page 36
Revoke Smart Card Sign-In Certificate
If a smart card sign-in certificate is compromised before its scheduled expiration date, you must revoke the
certificate using one of the following methods:
l Revoke Using Certificate Authority below

l Revoke Using Certutil Command on the facing page
Note: RSA MFA Agent deletes the compromised smart card sign-in certificate and private key from users'
computer. However, the Agent does not delete the certificate from the Active Directory. You can delete the
compromised sign-in certificate from the Active Directory.
Revoke Using Certificate Authority
Procedure
1. From the Windows Start menu, select Run and enter mmc to open the Microsoft Management Console.
2. From the File menu, select Add/Remove Snap-in.
The Add or Remove Snap-ins window appears.
3. From the Available snap-ins list, select Certificate Authority and click Add.
The Certificate Authority window appears.
4. Select Local computer: (the computer this console is running on) and click Finish.
The Add or Remove Snap-ins widow appears.
5. Click OK.
6. In the left pane of the Microsoft Management Console, select Console Root and click to expand
Certificates Authority(Local).
A list of directories appears for each type of Certificate Authority.
7. Click Issued Certificates folder.
8. Select the certificate you want to revoke. Right click on the certificate, select All Task and click Revoke
Certificate.
The Certificate Revocation window appears.
9. Select Reason code and choose the reason for certificate revocation from the drop-down list.
10. Click Yes.
11. In the left pane of the Microsoft Management Console, select Revoked Certificates folder to check if the
revoked certificate is in the list.
12. Select the revoked certificate. Right click on the certificate, select All Task and click Publish.

The Publish CRL window appears.
13. To refresh the Certificate Revocation List (CRL), select New CRL and click OK.
Revoke Using Certutil Command
Procedure
1. From the Windows Start menu, select Run and enter PowerShell to open the application.
2. Run the following command:
certutil -revoke <certificate serial number> "<reason code to revoke

certificate>"
The following example runs the command for certificate serial number -
7d0000042a8e39304958e34ab500000000042a and Reason Code - CA Compromise:
certutil -revoke 7d0000042a8e39304958e34ab500000000042a "2"
3. Run the following command to refresh the Certificate Revocation List:
certutil -CRL
Renew Smart Card Sign-In Certificate
Smart card sign-in certificate has a validity period. Users with an expired sign-in certificate are prompted to
enter their Active Directory password. RSA MFA Agent renews the sign-in certificate from Certificate Authority.
Note: RSA MFA Agent deletes the expired smart card sign-in certificate and private key from users' computer.
However, the Agent does not delete the certificate from the Active Directory. You can delete the expired sign-in
certificate from the Active Directory.
Set the Certificate Validity Period
RSA recommends that you set the validity period of a sign-in certificate to a minimum of 3 years. Set the validity
period in the certificate template used to create the smart card sign-in certificate.
Procedure
1. From the Windows Start menu, select Run and enter mmc to open the Microsoft Management Console.
2. From the File menu, select Add/Remove Snap-in.
The Add or Remove Snap-ins window appears.
3. From the Available snap-ins list, select Certificate Templates and click Add.
The Certificate Templates window appears.
4. Select the certificate template and double-click to open the Smartcard Logon certificate template
properties.
5. Set the Validity period of the certificate template to 3 years.
6. Click OK.
Note: Do not enable automatic enrollment of the certificate templates that you use to achieve RSA SecurID
Access passwordless authentication.

User Authentication Flow
This describes the user authentication flow after you revoke or renew the smart card sign-in certificate. After
you revoke a certificate or a certificate is expired, users can successfully perform the first authentication using
the revoked or expired sign-in certificate. Users experience the following authentication flow during the second
authentication:

2. RSA MFA Agent verifies credentials and prompts users for additional authentication if required.
3. RSA MFA Agent detects that the smart card sign-in certificate is revoked or expired and notifies users
about unsuccessful authentication.
4. Users click OK and are prompted to enter their Active Directory password.
5. RSA MFA Agent creates Microsoft Virtual Smart Card.
6. RSA MFA Agent provisions the Microsoft Virtual Smart Card with the new sign-in certificate from
Certificate Authority.
7. Users gain access to the computer.
On subsequent authentications, users' authentication flow remains same as passwordless authentication.

Chapter 3: Installing RSA MFA Agent
Installation Methods 38
Installation Considerations 38
Install the Product on a Single Computer 38
Install the Product on Multiple Computers 40
Connect MFA Agent to RSA SecurID Access 41
Test Authentication 55
Repair an Installation 60
Upgrade to RSA MFA Agent 2.1.1 for Microsoft Windows 61
Migrate from RSA Authentication Agent 7.4.x for Microsoft Windows to RSA MFA Agent 2.1.1 for Microsoft
Windows 63
Uninstall the Product 67

Installation Methods
You can install MFA Agent for single installations or large-scale deployments.
Single Installations
You may want to install the MFA Agent on a single computer to run an authentication test before deploying an
installation package to a larger group. Or, you may only need to install the product on one or two computers.
Large-Scale Deployments
To customize the MFA Agent logon settings and install the product on many computers, you can deploy an MSI
file using a command line or a third-party tool that automatically deploys MSI packages.
Installation Considerations
Before you install RSA MFA Agent 2.1.1 for Microsoft Windows, review the following information:
l Decide what emergency access methods you will provide for users who cannot use their preferred
authentication methods. For example, RSA SecurID users may forget their PINs, lose their
RSA SecurID hardware tokens, or lock their computers because of too many failed authentication
attempts. RSA SecurID Authenticate users may have lost their registered authenticators, run out of
offline days, or cannot charge their mobile phones. In such cases, several methods are available for
emergency access. For more information, see Emergency Access on page 76.
l You must use an administrator account or have administrator privileges to install the software. If you
plan to deploy an installation package, you must also set the policies to control privileges to user
desktops. For more information, see Provide Account Control Privileges to User Computers on page 40.
l The MFA Agent must be installed on computers that are joined to a domain.
l Microsoft Windows computers where the MFA Agent is installed must have Trusted Platform Module
(TPM) 2.0 chips to perform passwordless authentication.
l If you install the MFA Agent on the Windows operating systems where you plan to manage your
RSA Group Policy Object templates, you do not need to manually install the templates. The Agent
automatically installs them in the Local Security Policy. For more information, see the Group Policy Object
Template Guide.
l After you install the product, you can use the Test Authentication tool to verify that all of the
configuration settings are working fine.
Install the Product on a Single Computer
You can install the MFA Agent using an install wizard or command line. Follow the steps in the applicable
section. Repeat the procedure for other computers.
Required Certificates for the Cloud Authentication Service

In order to securely communicate to the Cloud Authentication Service, the MFA Agent requires the trusted root
38 Chapter 3: Installing RSA MFA Agent

certificate Entrust Root Certification Authority - G2 - Entrust, Inc. This certificate is automatically provisioned on
Windows operating systems, provided the machine has Internet access. On machines that do not have Internet
access, you must use the appropriate Microsoft root update mechanism to install the certificate on the Trusted
Root CA store of the machine account. For instructions, see Microsoft Knowledge Base Article 931125.
Required Certificates for RSA Authentication Manager

In order to securely communicate with RSA Authentication Manager, the Agent must have the RSA
Authentication Manager Root Certificate Authority (CA) certificate installed.
You can export this certificate from Authentication Manager. For instructions, see the knowledgebase article
How to export RSA SecurID Access Authentication Manager, Identity Router, or Cloud Authentication Service
Root Certificate.
For instructions on how to import the certificate, see Import the Trusted Root Certificate for RSA Authentication
Manager on page 28.
Challenging All Users Except Administrators

RSA Authentication Agent 7.4 or later for Microsoft Windows includes an installation option to Challenge all
users except administrators when installing the agent on a single computer and an installation option to
Enable challenge with the exclusion of the administrator group when creating an installation package.
These options challenges all users that are not administrators with one the following based on the Agent
configuration:
Passwordless Authentication (Primary Authentication)
Challenge all users that are not administrators with passwordless authentication. Challenge all local
administrators with Windows password and additional authentication according to your configuration. For more
information, see the GPO policy "RSA SecurID Access Primary Authentication Challenge Group" in the Group
Policy Object Template Guide.
RSA SecurID Access Credentials (Additional Authentication)
Challenge all users that are not administrators with RSA SecurID Authentication to sign into their computers.
Challenge all local administrators to sign in with their Windows method (password or smart card). For more
information, see the GPO policy "RSA SecurID Access Challenge Group" in the Group Policy Object Template
Guide.
Install Using the Install Wizard

Procedure
1. Log on to the computer as an administrator (or log on as a user with administrator privileges).
2. Double-click RSA MFA Agent for Microsoft Windows x64.msi or RSA MFA Agent for Microsoft
Windows x86.msi to start the installation wizard.
3. Click Next to advance through the Welcome dialog boxes.
4. Read the License Agreement or click Print to print it. When ready, select I accept the terms in the
license agreement and click Next.
5. Click Install. MFA Agent installs on the local computer. Windows prompts you to allow account control
privileges if you set up account control privileges. Click Allow.
6. Click Finish.

Install Using the Command-Line

Procedure
1. Right-click the command prompt icon from the Start menu and click Run as administrator to open the
command prompt.
2. Navigate to the directory that contains the RSA MFA Agent for Microsoft Windows x64.msi or RSA
MFA Agent for Microsoft Windows x86.msi package file (or a renamed MFA Agent MSI file).
Otherwise, you must provide the full pathname to the package file on the command line.
3. Type a case-sensitive command similar to the following, depending on the name of your MSI package:
msiexec /qn /i “RSA MFA Agent for Microsoft Windows x64.msi"
To log any errors, add the /lv (log verbose) option at the end of the command and the log file name, for
example, C:\install.log.
To prevent users from accidentally uninstalling the Agent, add the ARPNOREMOVE=1 property at the
end of the command. This command hides the Uninstall button in the Windows Settings.
Install the Product on Multiple Computers
To install RSA MFA Agent 2.1.1 for Microsoft Windows on multiple computers at one time, do the following:
1. Provide Account Control Privileges to User Computers below.

2. Deploy the Installation Package to Multiple Computers below.
Provide Account Control Privileges to User Computers

Administrators can install MFA Agent on all computers in a domain. Users who are members of the
Administrators group can install the Agent on their own computers. If you want the Agent installed on the users'
computers, you must set the appropriate Windows policies to ensure that it can install on all the appropriate
computers. For example, the Agent requires access to Windows registry keys. Users do not have privileges to
view or change the registry, so you must deploy the software as a managed application.
A managed application uses elevated privileges to install the application and make the required changes to
registry keys. This ensures that users can install the software on their computers.
Procedure
Use the following tools to control privileges:
l Microsoft Management Console (MMC) 3.0

l Use Group Policy to control MMC usage
Note: A user with elevated privileges on the computer can install and remove the MFA Agent.
Deploy the Installation Package to Multiple Computers

After you set the account privileges to the necessary groups, you can deploy MFA Agent using one of the
following methods:

l A third-party product that automatically deploys MSI packages
l Silent installation from the msiexec command line
Procedure
Deploy the MSI file with a third-party tool, or use the command line to perform a silent installation. To perform a
silent installation, perform the following steps.
command prompt.
example, C:\install.log. For silent mode, add the /qn option.
When the installation is complete, the installer restarts the computer whenever necessary without displaying
any prompt or warning to the user.
Connect MFA Agent to RSA SecurID Access
After you install the MFA Agent, you must connect the Agent to RSA SecurID Access to perform the following:
l Passwordless Authentication below

l Password Authentication on page 51
You specify these settings in the Group Policy Object Template, which is installed on the machine as part of the
installation.
You can connect the Agent to the Cloud Authentication Service. Note that the Group Policy Object Template
contains additional policies that are not mentioned below. The following steps list only the required policies to be
enabled in order for the Agent to work. For more information about each step, see the Group Policy Object
Template Guide.

Procedure
1. Enable RSA SecurID Access authentication.

2. Specify the RSA SecurID Authentication API key.
3. Specify the RSA SecurID Authentication API REST URL.

4. Specify the Cloud Authentication Service access policy for the Agent to use.
This policy must be enabled and configured for the MFA Agent to work with the Cloud Authentication
Service.

5. Configure primary authentication.
This policy must be enabled to use FIDO as primary authentication.

6. Specify the Active Directory Certificate Authority Name.

7. Specify the Active Directory Certificate Authority Hostname.

8. Specify the Certificate Template.

9. Select either 1024 or 2048 as the Certificate Key Length.

10. Specify the Certificate Subject.

11. Specify the FIDO Relying Party ID configured in the Cloud Administration Console.
Password Authentication
You can connect the Agent to RSA Authentication Manager or the Cloud Authentication Service. Note that the
Group Policy Object Template contains additional policies that are not mentioned below. The following steps list
only the required policies to be enabled in order for the Agent to work. For more information about each step,
see the Group Policy Object Template Guide.

Procedure
1. Enable RSA SecurID Access authentication.

2. Specify the RSA SecurID Authentication API key.
3. Specify the RSA SecurID Authentication API REST URL.

4. Specify the Cloud Authentication Service access policy for the Agent to use.
This policy must be enabled and configured for the MFA Agent to work with the Cloud Authentication
Service. RSA Authentication Manager does not use this policy, unless the Cloud Authentication Service is
used for authentication. For more information, see Supported Authentication Methods for the MFA Agent
for Microsoft Windows on page 12.
5. Specify an RSA Authentication Manager Agent Name.
This policy must be enabled and configured for the Agent to work with RSA Authentication Manager. This
policy is optional for the Cloud Authentication Service, which uses the agent name for Approve and
Device Biometric notifications that are sent to user authenticators.

Test Authentication
Before you enable the MFA Agent in your organization, test authentication on a computer with the RSA
MFA Agent Test Authentication tool. The Test Authentication tool is automatically installed when you install the
MFA Agent.
You can ask your users to test authentication with the RSA MFA Agent Test Authentication tool. You can provide
the instructions to your users. Print or email the document Test Authentication with MFA Agent for Microsoft
Windows.
You can test authentication on a computer with one of the following methods:
l Passwordless Authentication below

l Additional Authentication on the next page
You can use the RSA MFA Agent Test Authentication tool to test online and offline authentication with
passwordless authentication. Users can also use this tool to enable passwordless authentication.
Before you begin
l Configure the required GPO to allow passwordless authentication. See GPO Configuration Settings in
Configure Passwordless Authentication on page 30
l Meet the necessary requirements before users perform passwordless authentication. See Prerequisites
in Configure Passwordless Authentication on page 30.

Procedure
1. Sign into a computer where MFA Agent is installed.
2. Click Start > RSA > RSA MFA Agent Test Authentication.
3. Enter the name of the user for whom you are testing authentication.
Enter the simple name (for example, myuser) or an email address (for example,
myuser@mydomain.com).
Note: This name is displayed for users. Users cannot enter or edit the name.
4. If you entered a simple user name, specify the domain, for example, mydomain.
Note: Local user accounts cannot be enabled with passwordless authentication.
5. Insert your FIDO2 security key and click Test Online Authentication.
6. Enter FIDO2 security key PIN and tap the security key.
RSA MFA Agent verifies the credentials with Cloud Authentication Service and prompts for additional
authentication if required.
If the user is successfully enabled with passwordless authentication, a success message displays for
verification.
7. Click Test Offline Authentication.
8. Enter FIDO2 security key PIN and tap the security key.
If the GPO policy, Enable Additional Authentication When Cloud Authentication Service is Unavailable is
enabled, the RSA MFA Agent prompts for additional authentication.
If the user successfully completes offline passwordless authentication, a success message displays for
verification.
After you finish
l If successful, users can sign in to their computers without using a password. The authentication flow is
described in Authentication Flow of Passwordless Authentication on page 33.
l For information on resolving errors , see Troubleshooting Test Authentication Tool Errors on the facing
page.
Additional Authentication
You can use the RSA MFA Agent Test Authentication tool to test online and offline authentication with additional
authentication.
Procedure
1. Perform steps 1 to 3 of the Passwordless Authentication on the previous page procedure.
2. If you entered a simple user name, specify the domain, for example, mydomain.

To test a local user account, enter the computer name in the Domain field, or enter .\username in the
Username field.
3. Click Test Online Authentication, and authenticate with an available authentication method.
4. Wait 60 seconds after completing a successful online authentication. Then click Test Offline
Authentication, and use the method that is supported for the user:
l For the Cloud Authentication Service, enter the Authenticate Tokencode that displays on the
user's Authenticate app, or select "Emergency Tokencode" from the "show more" options, if
displayed, and enter the Emergency Tokencode generated in the Cloud Administration Console
for the user.
l For RSA Authentication Manager, enter the passcode from the user's hardware token or software
token, or enter the emergency access tokencode, emergency access passcode, or fixed passcode
generated in the Security Console for the user.
After you finish
l If successful, you can deploy the product to multiple computers as described in Deploy the Installation
Package to Multiple Computers on page 40.
l For information on resolving errors, see Troubleshooting Test Authentication Tool Errors below.
Troubleshooting Test Authentication Tool Errors

Use the following information to resolve warnings or errors that display when using the Test Authentication tool.
For specific instructions for suggested resolutions, see the Group Policy Object Template Guide, the Cloud
Authentication Service documentation, and the RSA Authentication Manager documentation.
Message Test Methods Resolution

l Configure the required GPOs to allow
passwordless authentication. See GPO
Configuration Settings in Configure
Passwordless Authentication on
Cannot enable passwordless
page 30
authentication for the user Passwordless authentication
l Meet the necessary requirements
Username.
before users perform passwordless
authentication. See Prerequisites in
Configure Passwordless Authentication
on page 30.
Insert your FIDO2 security key before clicking
Insert your security key. Passwordless authentication Test Online Authentication or Test Offline
Authentication.
Insert only one FIDO2 security key before
Multiple security keys detected.
Passwordless authentication clicking Test Online Authentication or Test
Insert one security key.
Offline Authentication.
Successful FIDO authentication. Administrator tried to enable passwordless
Run the RSA MFA Agent Test authentication for a different user. The Test
Authentication tool as user "{0}" Authentication tool must run as the user for
and perform successful FIDO whom passwordless authentication will be


authentication to enable
passwordless authentication for enabled.
user "{0}".
The user must install and
Complete RSA SecurID Authenticate device
register the RSA SecurID Additional authentication
registration for the user.
Authenticate app.
l In the Cloud Administration Console,
confirm that the user can complete at
least one authentication method
The user cannot authenticate specified in the access policy.
with any methods in the Cloud
Additional authentication
Authentication Service access l In the Cloud Administration Console,
policy. confirm that the user has the necessary
information for authentication, for
example, a phone number for SMS
Tokencode.
After you complete a successful online
The offline data for this user is
authentication, wait 60 seconds. Then click
missing or incomplete. Wait 60 Additional authentication
Test Offline Authentication to do an offline
seconds and try again.
authentication.
l The user is not found in RSA SecurID
Access.
l The user is denied access by the Cloud
Authentication Service access policy.
l The user cannot authenticate with any
Cannot authenticate. Contact Passwordless authentication
methods in the Cloud Authentication
your administrator. and additional authentication
Service access policy.
l The Cloud Authentication Service
access policy was not found.
l The user is disabled in RSA SecurID
Access.
To test online and offline authentication, the
username and domain must exist in the RSA
Username and domain is not a
Passwordless authentication Authentication Manager or Cloud
valid user account on this
and additional authentication Authentication Service synchronized identity
computer.
source and be a valid user account on the
computer.
RSA SecurID Access Enable the GPO policy "Enable RSA SecurID
authentication not enabled on Access authentication" before deploying the
and additional authentication
this computer. MFA Agent to multiple computers.
l In the Cloud Administration Console,
The Cloud Authentication Service Passwordless authentication confirm that the access policy exists
access policy was not found. and additional authentication that is specified in the GPO policy
"Specify the Cloud Authentication


Service Access Policy."
l In the GPO policy "Specify the Cloud
Authentication Service Access Policy,"
confirm that the access policy name
exactly matches the access policy name
in the Cloud Administration Console.
l Confirm that the simple name or email

address that you entered in the
Username field matches the attribute
for the user in a Cloud Authentication
Service identity source. A simple name
The user is not found in the Passwordless authentication
should match the sAMAccountName
Cloud Authentication Service. and additional authentication
attribute. The email address should
match the mail attribute.
l Confirm that the user exists in a Cloud
Authentication Service synchronized
identity source.
l In the GPO policy "RSA SecurID

Authentication API REST URL," confirm
that the value uses the following
format:
https://<hostname>:port/
where hostname is the

Authentication Service Domain
specified in the Cloud Administration
Console or the Fully Qualified Domain
Name specified in the Authentication
Manager Operations Console. For
Authentication Manager, you can enter
Unsuccessful connection to RSA Passwordless authentication up to 15 comma-separated URLs.
SecurID Access and additional authentication
l In the GPO policy "RSA SecurID
Authentication API REST URL," confirm
that the value exactly matches the key
specified in the Cloud Administration
Console or the Authentication Manager
Security Console.
l Confirm that the computer has internet

connectivity and can access the RSA
SecurID Authentication API REST URL.
l Ensure that the root CA certificate for

Authentication Manager is installed
properly in the Trusted Root


Certification Authorities folder in
the local machine context.
The user is disabled in the Cloud Passwordless authentication In the Cloud Administration Console, confirm
Authentication Service. and additional authentication that the user is enabled.
The user is denied access by the Review the Cloud Authentication Service access
Cloud Authentication Service policy to confirm that the user can authenticate
and additional authentication
access policy. to the MFA Agent on the computer.
l Enable the GPO policy "Enable offline
authentication."
Offline authentication is not Passwordless authentication
l For Authentication Manager, make sure
enabled or not available. and additional authentication
that the offline authentication policy is
enabled.
Ignore the exception logged in the Agent error
Exception pertaining to "Access Passwordless authentication log file.
to the registry key is denied". and additional authentication
Repair an Installation
Repairing an installation replaces missing files in a damaged installation. You can repair an installation through
Programs and Features, the Install Wizard, or the command line.
Repair an Installation Using Programs and Features

Before you begin
l Log on as an administrator to the computer that has MFA Agent installed.
l Confirm that RSA MFA Agent for Microsoft Windows x64.msi or RSA MFA Agent for Microsoft
Windows x86.msi is on the computer.
Procedure
1. In the Control Panel, click Programs > Programs and Features.
2. In the list, select RSA MFA Agent for Microsoft Windows, and click Repair.
3. If Windows Installer cannot locate the .msi file, browse to it and click OK.
Repair an Installation Using the Install Wizard

Before you begin
Log on as an administrator to the computer that has MFA Agent installed.
Procedure
1. Copy RSA MFA Agent for Microsoft Windows x64.msi or RSA MFA Agent for Microsoft
Windows x86.msi to a folder on the system where you want to repair the installation.

2. Double-click the msi file to run the installer.
3. Click Next.
4. Select Repair, then click Next.
5. Click Repair.
Note: The installer may prompt you to close files or applications that will be modified during the repair
process.
6. Click Finish to exit the wizard.
Repair an Installation Using the Command Line

Procedure
Windows x86.msi to a folder on the system where you want to repair the installation.
2. Open a command prompt.
3. Navigate to the directory that contains the msi file, or provide the full pathname to the package file on
the command line.
4. Enter a command similar to the following.
msiexec /qn /f "RSA MFA Agent for Microsoft Windows x64.msi"
example, C:\repair.log.
Upgrade to RSA MFA Agent 2.1.1 for Microsoft Windows
You can upgrade from RSA MFA Agent 1.2.1, 2.0.1, 2.0.2, 2.0.3, 2.1 to RSA MFA Agent 2.1.1 using the
following methods:
l An install wizard
l Silent installation from the msiexec command line
The upgrade wizard preserves the following settings from the previous version:
l (MFA Agent 1.2.1 only) GPO settings, with the following exceptions:

l Disable RSA SecurID Access authentication for local user accounts
l Specify number of offline days
l Log files
If “Disable RSA SecurID Access authentication for local user accounts” was enabled in version 1.2.1,
after upgrading to version 2.1.1, enable the “RSA SecurID Access Challenge Group” policy, and select
the third drop-down menu option, “Users Except all local users.”
If "Specify number of offline days" was enabled in version 1.2.1, after upgrading, reduce the number by
1. Version 1.2.1 includes the current day as one of the offline days. Version 2.1.1 downloads the
number of days that you specify and then adds current day.

Logging is not enabled. After upgrading, you can use the "Specify Log Configuration" GPO template to
configure logging.
If logging was enabled in 1.2.1, then after upgrading to version 2.1.1, the logging-related registry
settings are not retained.
l (MFA Agent 2.0.1 only) GPO settings, with the following exception:

l Send Domain and username to RSA Authentication Manager
If “Send Domain and username to RSA Authentication Manager” is enabled in version 2.0.1, after
upgrading to version 2.1.1, enable the “Specify the username format sent to the RSA authentication
server” and select “Windows NTLM” from the drop-down menu.
Upgrade Using the Install Wizard

Procedure
1. Log on to the computer as an administrator (or log on as a user with administrator privileges).
2. Double-click RSA MFA Agent for Microsoft Windows x64.msi or RSA MFA Agent for Microsoft
Windows x86.msi to start the installation wizard.
3. Click Next.
4. Click Upgrade. MFA Agent installs on the local computer. Windows prompts you to allow account control
privileges if you set up account control privileges. Click Allow.
5. Click Finish.
Upgrade Using the Silent Installation Command-Line Options

Procedure
To perform a silent installation using command-line options, perform the following steps.
command prompt.
example, C:\install.log.
When the upgrade is complete, the upgrade wizard might restart the computer whenever necessary without
displaying any prompt or warning to the user.

Migrate from RSA Authentication Agent 7.4.x for Microsoft Windows

to RSA MFA Agent 2.1.1 for Microsoft Windows
If you are using RSA Authentication Agent 7.4.0 to 7.4.4 for Microsoft Windows, you can migrate to RSA MFA
Agent 2.1.1 for Microsoft Windows.
You can migrate to the MFA Agent 2.1.1 on a single computer or multiple computers.
Before you begin
Confirm the following:
l User computers are running RSA Authentication Agent 7.4.0 to 7.4.4 for Microsoft Windows and are
joined to the domain.
l RSA Authentication Agent 7.4.0 to 7.4.4 GPO policies are configured on the domain controller.
l RSA MFA Agent 2.1.1 GPO policies are copied to the domain controller in the appropriate local directory
or shared network location. For instructions, see "Install the Template on the Domain Controller" in the
GPO Template Guide.
Procedure
1. Update the RSA MFA Agent GPO settings to align with the GPO settings from the RSA Authentication
Agent. Do one of the following:
l Automate the process by downloading and running the Migration Tool utility. For instructions,
see Migration of GPO Configuration Using the Migration Tool on page 66.
l Manually update the settings with the Group Policy Management Editor or gpedit.msc. For more
information, see the Group Policy Object Template Guide.
2. Prepare user computers for RSA MFA Agent installation. See Preparing for Installation on page 23.
3. On the computer where RSA Authentication Agent for Microsoft Windows is installed, install RSA MFA
Agent 2.1.1 for Microsoft Windows. See Install the Product on a Single Computer on page 38 or Install
the Product on Multiple Computers on page 40.
4. Configure RSA MFA Agent GPO settings as needed for your deployment. See the Group Policy Object
Template Guide.
5. From domain controller, push the GPO configuration to the client computers.
6. Test the migration of the GPO setting using the Test Authentication tool. See Test Authentication on
page 55.
Comparing RSA Authentication and MFA Agents for Microsoft Windows

If you plan to use both the RSA Authentication Agent for Microsoft Windows and the RSA MFA Agent for Microsoft
Windows or plan to migrate the RSA Authentication Agent to the RSA MFA Agent, refer to the following
information to understand the differences between the two Agents.
RSA Authentication Agent Features Not Available in RSA MFA Agent
The following RSA Authentication Agent features are not available in the RSA MFA Agent. If you need these
features, do not migrate from the RSA Authentication Agent to the RSA MFA Agent. All other RSA Authentication
Agent features not listed below are included in the RSA MFA Agent:

l Windows password integration.
l Access to protected computers using a PIN.
In the RSA MFA Agent, users can access protected computers using a password, but not a PIN.
l Connected Authenticator option during RSA Authentication Agent custom installation.
RSA MFA Agent does not support connected authenticators.
l Clearing offline data through the RSA Control Center.
l Configuration wizard (ConfigWizard.exe) to create custom MSI installation package for large-scale

deployment.
To install the RSA MFA Agent in a large-scale deployment, see Install the Product on Multiple Computers
on page 40. To migrate to the RSA MFA Agent in a large-scale deployment, see Migrate from RSA
Authentication Agent 7.4.x for Microsoft Windows to RSA MFA Agent 2.1.1 for Microsoft Windows on the
previous page.
l Server environment information available in the RSA Control Center.
The RSA MFA Agent does not include the RSA Control Center, although all functionality but the server
environment information is available in GPO settings.
RSA Authentication Agent Features Moved to GPO Settings in RSA MFA Agent
The following table lists RSA Authentication Agent features that are moved to GPO settings in the RSA
MFA Agent.
For instructions on how to configure these settings, see the Group Policy Object Template Guide.
RSA Authentication Agent Feature RSA MFA Agent GPO Setting

Logging Specify logging options
Enable load balancing
RSA SecurID Authentication API REST URL

Load balancing
Specify retry count
Specify server refresh interval
GPO Settings: Local Authentication and Other Settings in Both Agents
The following table lists equivalent Local Authentication and other settings for both Agents.
If you are migrating from RSA Authentication Agent to RSA MFA Agent, use the following table to make changes
to the MFA Agent GPO settings. For instructions on how to configure these settings, see the Group Policy Object
Template Guide.
RSA Authentication Agent Setting RSA MFA Agent Setting

Logon with credentials from remote applications Sign-on with credentials from remote applications
Challenge Users RSA SecurID Access Challenge Group
Send Domain and User Name to Authentication Specify the User Name Format Sent to the RSA
Manager option in Challenge Users Authentication Server
Cache Challenge Settings Cache Challenge Settings


Reserve Password Enable reserve password
Offline Authentication Service Enable offline authentication
Unlock with RSA SecurID PIN or Windows Password Unlock with Windows password
Specify remote desktop applications that do not require
Remote Desktop Connection applications
RSA SecurID Access authentication
Specify when message displays to users about expiring
Warning Message for Expiring Authenticators
offline days
N/A Specify number of offline days
Specify custom tile image for RSA SecurID Access
RSA Credential Provider tile image
Credential Provider
Specify custom background image shown when
N/A
collecting RSA SecurID Access credentials
RSA Credential Provider tile image for a handheld
N/A
authenticator
RSA Credential Provider tile for a connected
N/A
authenticator
Custom text shown when collecting RSA SecurID Specify custom text shown when collecting RSA SecurID
Credentials Access credentials
Custom text shown when collecting the Windows
N/A
password
Do not display a separate message when the Windows
N/A
password is not available
Specify encryption method for Active Directory
N/A
requests
Prevent connected authenticators in Remote Desktop
N/A
Connection sessions
Synchronize User Passwords N/A
Preserve Failed Authentication History N/A
Verify RSA Shared Components N/A
GPO Settings: Credential Provider Filter Settings in Both Agents
The following table lists the Credential Provider Filter Settings for both Agents.
If you are using both Agents on the same computer, know that the Agents share the Credential Provider Filter
Settings. A change to the settings of one Agent changes the same setting in the other Agent.
For instructions on how to configure these settings, see the Group Policy Object Template Guide.

Exclude the Microsoft Password Credential
Exclude the Microsoft Password Credential Provider
Provider
Exclude the Microsoft Smart Card Credential
Exclude the Microsoft Smart Card Credential Provider
Provider
Exclude the Microsoft Picture Password
Exclude the Microsoft Picture Password Credential Provider
Credential Provider
Exclude the Microsoft PIN Logon Credential Exclude the Microsoft PIN Logon Credential Provider


Provider
Exclude the Microsoft WLID (Windows Live ID) Exclude the Microsoft WLID (Windows Live ID) Credential
Credential Provider Provider
Exclude all Third-Party Credential Providers Exclude all Third-Party Credential Providers
Exclude the RSA SecurID Access Credential Provider
By default, this setting is not configured. If this setting is not

N/A configured or disabled, the RSA SecurID Access Credential
Provider tile displays to users. If you want to exclude this tile,
enable this setting.
Exclude the RSA SecurID Credential Provider
for connected authenticators
N/A
If you want to exclude this tile, enable this

setting.
Exclude the RSA SecurID Credential Provider
for disconnected authenticators
N/A

setting.
Exclude the RSA Smart Card Credential
Provider
N/A

setting.
Migration of GPO Configuration Using the Migration Tool

You can use the Migration Tool utility to automate the process of migrating your GPO settings from
RSA Authentication Agent 7.4.0 to 7.4.4 for Microsoft Windows to RSA MFA Agent 2.1.1 for Microsoft Windows.
Before you begin
l From RSA Link, download and extract the Migration Tool utility, RSA_MFA_Agent_2.1.1_
PolicyTemplates.zip.
l The GPO policies of both Agents must be present in the domain controller. If necessary, copy the RSA
MFA Agent 2.1.1 GPO templates to the domain controller where the RSA Authentication Agent is
configured. For instructions, see "Install the Template on the Domain Controller" in the GPO Template
Guide.
l To understand how the GPO settings compare, see Comparing RSA Authentication and MFA Agents for
Microsoft Windows on page 63.
Procedure
1. On the domain controller, right-click the command prompt icon from the Start menu and click Run as
administrator to open the command prompt.

2. Navigate to the directory that contains the Migration Tool extracted from the RSA_MFA_Agent_2.1.1_
PolicyTemplates.zip.
3. Run the following case-sensitive command:
MigrationTool.exe -RSA_74_GPO <value> -RSA_MFA_GPO <value>
Where -RSA_74_GPO specifies the name of the GPO template that is being migrated and -RSA_MFA_GPO
specifies the name of the MFA Agent GPO template.
If the GPO templates for MFA Agent and the RSA Authentication Agent have the same name, -RSA_MFA_
GPO does not need to be specified.
After you finish
The Migration Tool utility generates a report of GPO settings migrated from RSA Authentication Agent 7.4.x to
RSA MFA Agent 2.1.1.
MFA Agent has new GPO settings that are not included in RSA Authentication Agent 7.4 or later for Microsoft
Windows. You must configure these required GPO settings to connect the MFA Agent to RSA SecurID Access.
You can also configure other new GPO settings as needed for your deployment.
For instructions, see Migrate from RSA Authentication Agent 7.4.x for Microsoft Windows to RSA MFA Agent
2.1.1 for Microsoft Windows on page 63.
Uninstall the Product
Before you uninstall the product from a single or multiple computers, you may need to disable a local security
setting to successfully remove the MFA Agent from some computers. For example, you can install MFA Agent if
the local security policy has the User Account Control: Only elevate executables that are signed and
validated setting enabled, but Windows may not allow you to remove the application.
Procedure
1. Click Start > Control Panel > Administrative Tools > Local Security Policy.
2. Open the Local Security Policy folder.
3. Then open the Security Options folder. Scroll down to the User Account Control: Only elevate
executables that are signed and validated setting.
4. If enabled, right-click the setting and click Properties.
5. From the Local Security Settings tab, select Disabled, and then click OK. You can now remove the
application from the computer.
6. Do one of the following:
l Uninstall the Product from a Single Computer using the Windows Control Panel on the next page
l Uninstall the Product from a Single Computer using the Install Wizard on the next page
l Uninstall the Product from Multiple Computers on the next page

Uninstall the Product from a Single Computer using the Windows Control
Panel
This section describes how to uninstall MFA Agent from one computer. If you need to remove the product from
many computers, see Uninstall the Product from Multiple Computers below.
Procedure
1. Click Start > Control Panel > Programs and Features.
2. Click RSA MFA Agent for Microsoft Windows. An Uninstall button appears on the menu toolbar.
3. Click Uninstall.
4. Do one of the following (if prompted):
l If logged on as an administrator, click Allow to elevate your privileges.
l If logged on as a user, enter an administrator user name and password to elevate your privileges
and allow the uninstall process to continue.
5. Restart the computer. If you cancel the uninstall process at any time, the application reverts back to its
previous state.
Uninstall the Product from a Single Computer using the Install Wizard
This section describes how to uninstall MFA Agent from one computer. If you need to remove the product from
many computers, see Uninstall the Product from Multiple Computers below.
Before you begin
Log on as an administrator to the computer that has MFA Agent installed.
Procedure
Windows x86.msi to a folder on the system where you want to remove the installation.
2. Double-click the msi file to run the installer.
3. Click Next.
4. Select Remove, then click Next.
5. Click Remove.
Note: The installer may prompt you to close files or applications.
6. Click Finish to exit the wizard.
Uninstall the Product from Multiple Computers

You can uninstall MFA Agent from multiple users’ computers using a third-party tool, such as Microsoft System
Center Configuration Manager, without user interaction.
Procedure
1. Enter the following
msiexec /qn /x “RSA MFA Agent for Microsoft Windows x64.msi” /lv
C:\uninstall.log

with the /x (REMOVE=ALL) option, the /qn option for silent mode, the /lv option for verbose logs, and
the fully qualified pathname.
2. Put the log file, for example uninstall.log, in a known location such as %USERPROFILE%
3. Restart each computer.

Chapter 4: Managing MFA Agent
Manage Cloud Authentication Service Offline Days 72
Manage RSA Authentication Manager Offline Days 73
Set Up Offline Authentication for Remote RSA SecurID Access Users 75
Emergency Access 76
Reserve Password 81
Load Balancing Configuration Settings 83
Streamlined Authentication for Remote Applications 83
Language Support 84

Manage Cloud Authentication Service Offline Days
This section describes how to refresh Cloud Authentication Service offline days under various circumstances
and check the supply of offline days.
Before Cloud Authentication Service users can use offline days, the MFA Agent administrator should verify the
following using the Group Policy Object Template:
l Enable offline authentication

l Specify number of offline days
l Specify when message displays to users about expiring offline days
l Specify number of offline authentication failures
Note: If passwordless authentication is enabled in user's computer, the MFA Agent administrator should
enable the GPO, "Enable Additional Authentication When Cloud Authentication Service is Unavailable" to manage
the offline days.
Refresh Offline Days

Offline days are automatically refreshed to the default current day plus 14 days each time a user successfully
completes online authentication. You can configure the number of offline days downloaded and refreshed with
the GPO setting "Specify number of offline days."
The following example describes the default refresh:
1. On Monday, a user completes an online authentication to a Windows computer. The MFA Agent
downloads the current day plus 14 days of offline days to the user's computer.
2. On Tuesday, the user works offline and authenticates to the Windows computer. The user has 14
remaining days of offline days.
3. On Wednesday, the user works online and authenticates to the Windows computer. The MFA Agent
downloads one offline day file, so the user's computer has the current day plus 14 days of offline days.
When a user or administrator deletes a company or RSA SecurID registered authenticator for a user, the offline
days for the deleted company or for the registered authenticator are removed from the Windows computer
during the next online authentication.
Check the Supply of Offline Days

Users can check their supply of offline days by using the RSA SecurID Access icon in the notification area. To
display the notification, an administrator must first enable the GPO policy "Specify when message displays to
users about expiring offline days."
l If the informational icon ( ) appears, the user has more offline days than the number specified in the
GPO policy "Specify when message displays to users about expiring offline days."
The user can right-click the icon to refresh the supply of offline days. When the user clicks Refresh
Offline Days, the Agent prompts the user for the last online authentication method used. After the user
successfully authenticates online, offline days are downloaded to the computer.
Note: If user authenticates online using a method different from the previous online authentication
method used, Agent may delete the remaining offline days that were downloaded when the user
authenticated using the previous online authentication method. For example, if the previous online
72 Chapter 4: Managing MFA Agent

authentication method used was RSA SecurID Token (SID700 hardware token managed in Cloud
Authentication Service) and the user authenticates online using any other method, then the user’s
remaining offline days for RSA SecurID Token (SID700 hardware token managed in Cloud Authentication
Service) are deleted and new offline days for Authenticate Tokencode are downloaded. For more
information, see Downloads Offline Days for on page 18.
l If the warning icon ( ) appears, the number of offline days has dropped below the specified number.
A message appears instructing the user to connect to the internet and click the text in the notification.
When the user clicks the notification, the Agent prompts the user for the last online authentication
method used. After the user successfully authenticates online, offline days are downloaded to the
computer and the informational icon appears.
Alternatively, the user can right-click the warning icon to view the message. When the user clicks
Refresh Offline Days, the Agent prompts the user for the last online authentication method used.
After the user successfully authenticates online, offline days are downloaded to the computer.
Note: The RSA SecurID Access icon does not appear on Windows Server Core machines. An MFA Agent user on
this machine cannot check the supply of offline days. To refresh offline days, the user must complete an online
authentication option.
Offline Authentication Lockout

If you configure the GPO policy "Specify number of offline authentication failures", the MFA Agent locks the
offline RSA SecurID Token (SID700 hardware token manged in Cloud Authentication Service) or the offline
Authenticate Tokencode after offline users make the specified number of unsuccessful attempts. The default is
20. The lockout counter is reset when user enters the correct PIN plus tokencode of the hardware token or the
correct Authenticate Tokencode within the permitted number of attempts. For example, if an offline user enters
Authenticate Tokencode incorrectly three times and correctly on the fourth attempt, the lockout counter is reset
to 0.
After the user has exceeded the maximum number of unsuccessful offline authentication attempts, users must
authenticate online to sign in to their computers. Users can also use the offline Emergency Tokencode to sign in
to their computers.
The offline authentication lockout counter is separate from the online lockout counter. Consider the following
examples:
l A user enters an incorrect Authenticate Tokencode when online. That attempt does not count towards
the 20 attempts for locking offline authentication.
l Both offline authentication and the Authenticate Tokencode are locked. An administrator unlocks the
user's tokencodes in the Cloud Administration Console. Offline authentication remains locked until the
user successfully authenticates online.
For more information on lockout counter, see Authentication Method Lockout.
Manage RSA Authentication Manager Offline Days
This section describes how to refresh RSA Authentication Manager offline days under various circumstances
and check the supply of offline days.
Before RSA Authentication Manager users can use offline days, do the following:

l Verify that the GPO policies "Enable RSA SecurID Access Authentication" and "Enable offline
authentication" are enabled. For more information, see the Group Policy Object Template Guide.
l In the RSA Authentication Manager Security Console, an administrator must configure an offline
authentication policy. For more information, see Offline Authentication Policy.
Refresh Offline Days

Offline days are automatically refreshed when the user performs online authentication. Even if the user’s supply
of offline days is full, offline days are automatically updated when:
l The user establishes a connection online after offline authentication.

l An Authentication Manager administrator issues a new offline authentication policy to the MFA Agent on
the user’s computer allowing offline emergency codes to be generated. The user should perform online
authentication to download offline days. For information about offline emergency codes, see Emergency
Access for RSA Authentication Manager Users.
Offline days are not automatically refreshed if the authentication session has expired (the user remains online
for 24 hours or more). In this situation, the user refreshes the offline days by performing a successful online
authentication.
You can also configure how many days of offline data a user is allowed to download. This is the number of days’
worth of tokencodes that are downloaded to the user’s machine. This is configured in the RSA Authentication
Manager Security Console as part of an offline authentication policy.
Note: The GPO setting "Specify number of offline days" is not used by Authentication Manager. Instead, the
number of offline days is determined by the Authentication Manager offline authentication policy assigned to the
user.
The following sections describe refresh scenarios.
Refresh When a Network Connection Exists
MFA Agent recognizes that a network connection exists and attempts to download offline days.
Refresh When No Network Connection Exists
When the user signs in without a connection to the network, MFA Agent attempts to automatically download
offline days, but recognizes that no network connection exists. It displays an alert on the RSA SecurID Access
icon in the notification tray to notify the user that the offline day supply is low. The user can right-click the icon
to refresh the supply of offline days.
Check the Supply of Offline Days

Users can check their supply of offline days by using the RSA SecurID Access icon in the notification area.
l If the informational icon ( ) appears, the user has more offline days than the number specified in
the Authentication Manager offline authentication policy.
The user can right-click the icon to refresh the supply of offline days. When the user clicks Refresh
Offline Days, the Agent prompts the user for an RSA SecurID passcode. After the user successfully
authenticates online, offline days are downloaded to the computer and the informational icon appears.
Note: If the user had performed offline authentication using tokens in past 24 hours, the agent
downloads offline day files without prompting for authentication.
l If the warning icon (

) appears, the number of offline days has dropped below the number in the Authentication Manager
offline authentication policy.
A message appears instructing the user to connect to the internet and click the text in the notification.
When the user clicks the notification, the Agent prompts the user for RSA SecurID passcode. After the
user successfully authenticates online, offline days are downloaded to the computer and the
informational icon appears.
Note: The RSA SecurID Access icon does not appear on Windows Server Core machines. An MFA Agent user on
this machine cannot check the supply of offline days. To refresh offline days, the user must complete an online
authentication option.
Set Up Offline Authentication for Remote RSA SecurID Access Users
To accommodate different work environments, you can set up different ways to deploy offline authentication to
RSA SecurID Access users who work remotely.
Users Who Work Locally and Remotely

If you want to set up offline authentication for users who work both in the office and remotely, you can deploy
offline authentication to these users by requiring them to perform an initial online authentication at the office
before taking their computers offline.
Procedure
1. Connect the user’s computer to the network.
2. Instruct the user to perform an online authentication to RSA SecurID Access using the appropriate
authentication method. (If necessary, users can perform the authentication test described in Test
Authentication on page 55.)
3. If the authentication is successful,RSA SecurID Access downloads offline data to the user’s computer.
4. Verify that offline data has been downloaded to the user’s computer. To do this, use Windows Explorer
to verify that the offline data is stored in the user’s computer. For information about where offline data is
stored, see Offline Authentication on page 17. The directories where offline data is stored are hidden
directories. To see the offline data files, you must configure Windows Explorer to view hidden files.
Different Remote Users Who Share a Computer

If you want to set up offline authentication for several different RSA SecurID Access users who share the same
computer for working remotely, you can instruct users to download their offline data remotely instead of
requiring each user to perform an online authentication and download offline authentication data in the office.
Note: This is not supported for passwordless authentication.
Procedure
1. Create a challenge group that includes the names of everyone who will share the computer. If you need
to create new Windows groups, see the appropriate Windows documentation.
2. Set a reserve password for the computer. For more information, see Reserve Password on page 81.
3. Specify the challenge for the group you created using the GPO template. For more information, see the
Group Policy Object Template Guide.

4. Instruct the remote user to contact the administrator for the reserve password and then to sign into the
computer. When a user attempts to access the computer while it is offline, the user is prompted for the
reserve password.
5. Instruct the user to connect to the network remotely.
6. Instruct the user to lock the computer, and then unlock it by performing successful online multifactor
authentication when prompted. This downloads offline data to the user’s computer.
7. Repeat steps 4, 5, and 6 for each user account sharing the computer.
Emergency Access
Emergency Access after Losing FIDO2 Security Key

You can provide emergency access during initial authentication for users who have temporarily or permanently
lost their FIDO2 security key. Following is the authentication flow for providing emergency access to users in
this situation:
1. Users authenticate using the passwordless credential provider.

2. MFA Agent prompts users to insert their FIDO2 security key. Users can click Sign in using other
options.
3. Users can authenticate using Windows password and additional authentication to gain access to the
computer.
If users find their registered FIDO2 security key, they can insert it and enter the same PIN to sign in.
Register and Authenticate with New FIDO2 Security Key
If users cannot find the registered FIDO2 security key they used to sign in, they can register and authenticate
with a new FIDO2 security key.
Before you begin
l Users must be able to access their corporate network.

l Users must set the PIN for the new FIDO2 security key. See Manage FIDO2 Security Keys on page 32.
l Users must register their new FIDO2 security key using RSA SecurID Access My Page. See Manage My
Page and Registration Using RSA SecurID Access My Page on RSA Link.
Steps to Register New FIDO2 Security Key with Passwordless Authentication
Following are the steps to register users' new FIDO2 security key with passwordless authentication:
1. Users insert the new FIDO2 security key.

2. MFA Agent detects the new FIDO2 security key and prompts users to continue authentication.
3. Users enter the new FIDO2 security key PIN and tap the FIDO2 security key.
4. After successful initial authentication, the MFA Agent deletes the old FIDO2 security key configuration
and allows users to enter their Active Directory password to enable passwordless authentication with the
new FIDO2 security key.
Note: RSA MFA Agent deletes the smart card sign-in certificate and private key of users who have permanently
lost their FIDO2 security key. However, the Agent does not delete the certificate from the Active Directory. You
can delete the smart card sign-in certificate of the lost FIDO2 security key from the Active Directory.

Emergency Access at Additional Authentication

You can provide emergency access during additional authentication for users who cannot use their preferred
authentication methods. Users may be unable to use a preferred method for a variety of reasons, including the
following:
l RSA SecurID users may have forget their PINs, lost their RSA SecurID tokens, or cannot sign in or unlock
computers because of too many failed authentication attempts.
l RSA SecurID Authenticate users may have lost their registered authenticators, run out of offline days, or
cannot charge their mobile phones.
In such cases, several methods are available for emergency access:
l Offline Cloud Authentication Service Users below

l Online Cloud Authentication Service Users below
l Offline RSA Authentication Manager Users on the next page
l Online RSA Authentication Manager Users on page 79
l Reserve Password on page 81 for MFA Agent administrators and the offline users that the administrators
assist.
Offline Cloud Authentication Service Users
Emergency
Access Description Characteristics Reference
Method
l Changes on next
successful online
authentication, See
Users can access their protected computers without the
except when using Emergency
Emergency RSA Authenticate app, for example, when their registered
online Emergency Tokencode
Tokencode authenticator is lost, they have run out of offline days, or
Tokencode on
they cannot charge their mobile phones.
l Expires after a RSA Link.
specified amount of
time
Online Cloud Authentication Service Users
Emergency
Method
Users can use Voice Tokencode if
these criteria are met:
Users can access their protected computers. l RSA has enabled this
when the user cannot use other methods, for feature for your company. See Voice
Voice
example, users who do not have registered Tokencode on
Tokencode l Users' required identity
device or when the user loses the RSA SecurID RSA Link.
source information is
Token.
synchronized with the
Cloud Authentication
Service (similar to other

Emergency
Method
authentication methods).
l A valid phone number
(landline or mobile) is
available for the user in the
Service.
Users can use SMS Tokencode if
these criteria are met:
l RSA has enabled this

feature for your company.
l Users' required identity
Users can access their protected computers. source information is
when the user cannot use other methods, for synchronized with the See
SMS
example, users who do not have registered Cloud Authentication SMS Tokencode
Tokencode
device or when the user loses the RSA SecurID Service (similar to other on RSA Link.
Token. authentication methods).
l A valid phone number
(landline or mobile) is
available for the user in the
Service.
l Changes the next time the

user authenticates online
except when using online
Users can access their protected computers. Emergency Tokencode.
See Emergency
when the users cannot use other methods, for l Expires after a specified Tokencode on
Emergency
example, if the users do not have mobile amount of time RSA Link.
Tokencode
phones or when the users loses the RSA
Note: An Emergency Tokencode
SecurID Token.
generated for offline
authentication can also be used for
online Emergency Tokencode
Authentication.
Offline RSA Authentication Manager Users
Emergency
Method
l Must be
See Offline Emergency
Offline Users can access their protected computers combined
Access Supported by
emergency without a tokencode, for example, when they have with the
RSA Authentication
tokencode lost their authenticators. user’s RSA
Manager on page 80.
SecurID PIN

Emergency
Method
l Changes the
next time the
user
authenticates
online
l Expires after a
specified
amount of
time
l Generated by
the RSA
Authentication
Manager
l No RSA
SecurID PIN
required
l Changes the
next time the
user
See Offline Emergency
Users can access their protected computers authenticates
Offline Access Supported by
without an RSA SecurID PIN or tokencode, for online
emergency RSA Authentication
example, when they have forgotten their PINs, or l Expires after a
passcode Manager on the next
when their PINs have been compromised. specified
page.
amount of
time
l Generated by
the RSA
Authentication
Manager
Online RSA Authentication Manager Users
Emergency
Method
l Must be combined
with the user’s
Users can access their protected computers RSA SecurID PIN See Assign a Set of
One-time when their RSA SecurID Token or the l Created by an RSA One-Time Tokencodes
tokencodes Authenticate app is unavailable, for example, Authentication for Online Emergency
when they have lost their authenticators. Manager Access on RSA Link.
administrator
l Valid for one

Emergency
Method
authentication
l Must be combined
with the user’s
RSA SecurID PIN
l Created by an RSA See Assign a
Users can access their protected computers
Temporary Authentication Temporary Fixed
when their RSA SecurID Token or the
Fixed Manager Tokencode for Online
Authenticate app is unavailable, for example,
Tokencodes administrator Emergency Access on
when they have lost their authenticators.
l Valid until the RSA Link.
user’s lost
authenticator
status is changed
l Must be combined
with the PIN for
the user’s
authenticator.
Users with mobile devices or e-mail accounts See On-Demand
On-demand l User’s mobile
can receive one-time tokencodes as text Authentication on
tokencode devices and e-mail
messages. RSA Link.
accounts must be
enabled to receive
on-demand
tokencodes.
Offline Emergency Access Supported by RSA Authentication Manager

Offline users can substitute offline emergency codes for passcodes by calling their RSA Authentication Manger
Help Desk administrator. The Help Desk administrator provides users with the offline emergency codes they
need to use. For example, if offline users:
l Forget their PINs or run out of offline days, they can authenticate with an offline emergency passcode.
Users enter the offline emergency passcode instead of an RSA SecurID passcode.
l Lose their tokens or cannot log on or unlock the computer because of too many failed authentication
attempts, they can authenticate with an offline emergency tokencode. Users combine the offline
emergency tokencode with their RSA SecurID PINs to authenticate.
The first time a user attempts to authenticate online with a token after performing an offline or online
authentication with a lost tokencode, Authentication Manager changes the user’s authenticator status from the
“lost authenticator temporary password” mode.
The temporary password is the same as the offline emergency tokencode. It may have an expiration date set by
the Help Desk administrator. Before the password expires, the user must contact the Authentication Manager
Help Desk administrator to replace the lost authenticator with a new one or return the lost authenticator to a “not
lost” status. For more information on how Authentication Manager manages emergency codes, see Emergency
Access for RSA Authentication Manager Users.

Reserve Password
A reserve password is an emergency access method that allows an administrator to assist a user who is unable
to sign in, for example, because the user has run out of offline day files and cannot use any other emergency
access option. If you set the reserve password option, the user is prompted to enter a reserve password to sign
in if the computer cannot connect to RSA SecurID Access and one of the following applies:
l Offline authentication is not running on the local computer or is disabled.

l Offline authentication is running, but there are no offline days on the local computer, and the user
cannot use any other emergency access option.
l The computer cannot connect to RSA SecurID Access.
Only the Agent administrator knows the reserve password. If a user needs to log on to the computer that
requires a reserve password, the user needs to contact the appropriate administrator for assistance.
For information on enabling and setting the reserve password, see the GPO Template Guide.
Multidomain Group Support
When you select a Windows group as an RSA MFA Agent challenge group using the GPO Policy templates, all
users in the group are challenged. The Agent supports all Windows groups. For more information about setting
up a challenge group, see the Group Policy Object Template Guide.
Windows groups can be universal, global, and domain local. Windows also allows groups to be nested within
other groups. It is important to understand the possible combinations of groups, so that when you challenge or
exclude a group from a challenge, you get the results that you expect.
These guidelines determine which users are challenged with the following.
l Users in a Windows group are challenged with FIDO credentials when the Windows group is in a
challenge group.
the Windows group is in an excluded challenge group.
RSA SecurID Access Credentials
the Windows group is in a challenge group.
l Users in a Windows group are challenged with Windows password but not challenged with additional
authentication when the Windows group is in an excluded challenge group.
The following tables show examples of different combinations of domains and groups. In the tables:
l D = Domain, for example D1 is domain 1 and D2 is domain 2.

l U = Universal group, for example, U3D1 is universal group 3 in domain 1.
l G = Global group, for example, G2D1 is global group 2 in domain 1.
l L = Domain local group, for example, L1D1 is domain local group 1 in domain 1.
The following table lists an example of a multidomain environment that has two domains and different types of

groups. All of the users and groups are in the same forest. The Agent cannot determine the membership of a
user if the user or group is in a different forest.
Example of Groups and Member in a Multidomain Environment

Universal Groups
U3D1 Universal Group 3 in Domain 1 U1D1 G1D1 G3D1
Global Groups
G3D1 Global Group 3 in Domain 1 G2D1
Domain Local Groups
L1D1 Domain Local Group 1 in Domain 1
L2D1 Domain Local Group 2 in Domain 1 U3D1
L3D1 Domain Local Group 3 in Domain 1 G1D1 G3D1
The following table shows the users who are challenged or excluded from it depending on what group you
selected in the previous table.

U1D1 User 1
U3D1 User 1, User 3, User 4
G1D1 User 3
G3D1 User 4
L1D1 User 5, User 6
L2D1 User 1, User 3, User 4
L3D1 User 3, User 4
The following tables show an example of how a universal group can include users from a different domain, but
only users in the universal group's domain are included in the challenge group.
Universal group 3 in domain 1 (U3D1) has been updated to include universal group 2 in domain 2 (U2D2).

Universal Groups
U3D1 Universal Group 3 in Domain 1 U1D1 U2D2 G1D1 G3D1
Even though U3D1 includes universal group 2 of domain 2, which includes user 2, who is a domain 2 user, only
the domain 1 users are part of the challenge group.

Challenge or Excluded Group Settings
U3D1 User 1, User 3, User 4 User 2 will not behave as the others
L2D1 User 1, User 3, User 4 User 2 will not behave as the others

Load Balancing Configuration Settings
The MFA Agent automatically balances the authentication request load that is sent to RSA Authentication
Manager. Load balancing and failover settings apply to your connections to RSA Authentication Manager.
You can manage this process by configuring load balancing options. For more information, see the Group Policy
Object Template Guide.
RSA MFA Agent
Description
GPO Setting
If you enable load balancing, you can choose between weighted round robin and round robin:
l Weighted round robin assigns a weight to each server. The agent periodically
measures the time taken by each server to process an authentication request ,and
distributes more requests to faster servers and fewer requests to slower servers.
Enable Load
l Round robin sends authentication requests to each server in sequence, in the order
Balancing
the servers were added in the comma separated list.
If you do not configure load balancing, the MFA Agent uses round robin.
Disable load balancing to send the authentication requests to the first available server in the
list.
This URL connects the MFA Agent with RSA SecurID Access and uses the following format:
https://hostname:port/
RSA SecurID
Authentication When you are connecting the MFA Agent to RSA Authentication Manager, the host name is the
API REST URL Fully Qualified Domain Name specified in the Operations Console Administration >
Network > Appliance Network Settings page. The default port is 5555. You can enter up
to 15 comma-separated URLs.
The MFA Agent tries to contact the RSA SecurID Access server a second time if the first
Specify Retry attempt is unsuccessful. After the retry count is reached, the MFA Agent attempts to contact
Count the next server if configured.
You can configure 1 to 5 attempts.

Specify Server The MFA Agent waits for 30 minutes between polling attempts to determine whether the
Refresh Interval RSA SecurID Access server is available. You can change this value. The minimum value is 5.
Streamlined Authentication for Remote Applications
This feature allows the Agent to accept credentials from remote applications such as Microsoft Remote Desktop
Connection, so that users do not need to enter credentials twice when using those applications unless additional
authentication is required.
This feature is enabled by default. To disable the feature, you use the Group Policy Object "Sign-on with
credentials from remote applications." For instructions, see the Group Policy Object Template Guide.

Language Support
The Agent displays the user interface text strings in the display language of the operating system. The following
languages are supported:
l Chinese (zh-cn)
l English (en-us)
l French (fr)
l German (de)
l Japanese (ja)
l Spanish (es)
l Brazilian Portuguese (pt-br)
If you change the display language of the operating system, you must restart the computer in order for the new
language to display.

Chapter 5: Troubleshooting
Issues and Resolutions 86
Logs 88
Windows Event Messages Written by the MFA Agent 89
Enable Tracing 89
View MFA Agent Version and Build 90
Issues and Resolutions
The following section contains details on connection and authentication issues you may encounter while using
MFA Agent.
For additional troubleshooting information, go to RSA Link at https://community.rsa.com.
Issue Resolution
l Make sure the "Configure Primary Authentication" GPO policy is
enabled.
Users are not challenged with
l Make sure the Microsoft Windows computers where the RSA MFA
passwordless (FIDO) as primary
Agent is installed have Trusted Platform Module (TPM) 2.0 chips.
authentication.
l Make sure the "Enable RSA SecurID Access Authentication" GPO policy
is enabled.
Investigate these areas:
l Make sure the "Specify the FIDO Relying Party ID" GPO policy is
properly configured.
l For users who re-register their FIDO2 security keys after successful
passwordless authentication, instruct the users to enable
Authentication is unsuccessful. passwordless authentication again. After successful authentication,
the RSA MFA Agent verifies and binds the newly registered FIDO2
security key with the user's computer.
l Confirm that the smart card sign-in certificate enrolled for the user is
not expired or revoked.
l Confirm that the Microsoft Windows password is not expired.
l Make sure that the smart card sign-in certificate enrollment

information is properly configured in the following GPO policies:
n Active Directory CA Name
Passowordless authentication is n Active Directory CA Hostname

not available. n Certificate Template
n Certificate Key Length
n Certificate Subject
l Make sure the Active Directory CA is reachable.
l Make sure users' security keys are FIDO2 certified.

l Make sure users' FIDO2 security keys support Hash-based Message
Cannot authenticate the user. Authentication Code (HMAC) Secret extension.
l Make sure user is present in the Cloud Authentication Service access
policy.
Installation and Connection to RSA SecurID Access
The MFA Agent is installed, but l Use the Test Authentication tool. Make sure you can successfully
it is not working. authenticate.
86 Chapter 5: Troubleshooting
Issue Resolution
l Confirm that you configured the GPO policies necessary to complete
Agent setup. For more information, see Connect MFA Agent to
RSA SecurID Access on page 41.
l Confirm that you have installed Trusted Root CA Certification for AM in
the correct location as mentioned in Import the Trusted Root Certificate
for RSA Authentication Manager on page 28.
The RSA SecurID Access
Credential Provider tile does not l Install the Microsoft Visual C++ 2015 or later Redistributable Package
display on a Windows 8.1 or on the computer.
Windows Server 2012 R2 l Install the latest Microsoft Windows operating system updates.
computer.
Online Authentication
Authentication is unsuccessful. Investigate these areas:
l Make sure the clock on the user’s computer is synchronized with

Internet time.
l For a Cloud Authentication Service user, make sure the user exists in
the Cloud Authentication Service identity source, has a unique
username, is not disabled, has a registered device, and can use the
authentication methods specified in the access policy.
For additional information, see Troubleshooting Cloud Authentication

Service User Issues on RSA Link.
l In an emergency situation with a known user, disable the GPO policy

"Enable RSA SecurID Access authentication" on the computer.
User is not getting prompted for l Confirm that the GPO policy "Enable RSA SecurID Access
additional authentication but authentication" is enabled.
should be. l For a Cloud Authentication Service user, confirm that the access policy
requires additional authentication from the user.
A local user is being prompted Enable the “RSA SecurID Access Challenge Group” policy, and select the third
to complete multifactor drop-down menu option, “Users Except all local users.”
authentication.
A remote desktop session Increase the remote desktop sign-in screen timeout to allow the user
disconnects before a user can sufficient time to complete authentication.
complete authentication, for
example, Approve or Device
Biometrics.
Offline Authentication
Offline days download is l For Cloud Authentication Service users, confirm that the user's
unsuccessful. computer is connected to the internet. Then instruct the user to tap
the RSA SecurID Access notification message again to retry the
download process.
l For Authentication Manager users, confirm that an offline
authentication policy has been enabled.
Issue Resolution
l Confirm that the number of offline days to download specified in the
GPO policy "Specify number of offline days" is more than the number
of days specified in the GPO policy "Specify when message displays to
users about expiring offline days."
Uninstallation
You have uninstalled the Agent After uninstalling the Agent, restart the computer.
on a computer, but the user is
still prompted to authenticate
with the Agent.
Logs
Use the following logs and event viewers to help troubleshoot issues:
l Windows Event Viewer messages specific to the MFA Agent. These messages are displayed in
Applications and Services Logs > RSA MFA Agent.
For more information, see Windows Event Messages Written by the MFA Agent on the facing page.
l RSA Authentication Manager Activity Monitors.
For more information, see Real-Time Monitoring Using Activity Monitors.
l Cloud Authentication Service User Event Monitor.
For more information, see Monitor User Events in the Cloud Administration Console.
Windows Event Messages Written by the MFA Agent
The MFA Agent writes the following events in the Windows Event Viewer.
Event
Event Source Name Component Responsibilies
ID Range
RSA MFA Agent Passwordless Handles passwordless authentication.

6000 to 6999
Authentication Performs passwordless authentication.
RSA MFA Agent Authentication Server Monitor authentication server connections.

5000 to 5999
Services Retrieves server configuration.
Handles Windows authentication.
RSA MFA Agent Credential Provider 1000 to 1999
Performs MFA authentication.
Filters credential providers during Windows
RSA MFA Agent Credential Provider Filter 2000 to 2999
authentication
Performs Offline MFA authentication.
RSA MFA Agent Offline Authentication 4000 to 4999
Manages offline MFA data.
RSA MFA Agent Test Authentication Performs MFA authentication. 7000 to 7999
Hosts RSA service components:
l Offline Authentication Service

RSA MFA Agent Windows Agent Service l Offline Data Service 3000 to 3999
l Authentication Server Service

l Configuration Protection Service
Enable Tracing
You can enable tracing to diagnose a range of authentication issues. Typically, you enable tracing only when
instructed to do so by RSA Customer Support. Customer Support will also instruct you on which components to
trace and the level of tracing.
When enabled, the tracing output files are written to the default location C:\ProgramData\RSA\Logfiles.
Procedure
1. From the computer with MFA Agent installed, sign in with an account with administrative privileges.
2. Specify logging options.
After you finish
l Re-create the problem on the computer to capture the events in the trace log.
l Provide the contents of C:\ProgramData\RSA\Logfiles or the custom location specified in the
GPO template to RSA Customer Support.
View MFA Agent Version and Build
View the MFA Agent version and build information to provide to RSA Customer Support when resolving issues.
Procedure
1. On the computer, open Apps & features or Programs and Features.
2. Scroll to RSA MFA Agent for Microsoft Windows, and click on it.
The version and build information is displayed.

RSA MFA Agent 2.1.1 For Microsoft Windows Installation and Administration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA MFA Agent 2.1.1 For Microsoft Windows Installation and Administration Guide

Uploaded by

Copyright:

Available Formats

RSA® MFA Agent 2.1.

1 for Microsoft Windows

RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and

Note on Encryption Technologies

© 2007-2021 RSA Security LLC or its affiliates. All Rights Reserved.

About This Guide 8

RSA MFA Agent for Microsoft Windows Documentation 8

Support and Service 8

Before You Call Customer Support 9

Chapter 1: Product Overview 10

RSA MFA Agent for Microsoft Windows 11

MFA Agent-Server Communication 11

Supported Authentication Methods for the MFA Agent for Microsoft Windows 12

Differences Between the Authentication Agent and MFA Agent for Windows 13

Cloud Authentication Service Authentication Methods 15

RSA Authentication Manager Authentication Methods 15

Multidomain Group Support 15

Offline Passwordless Authentication 17

Cloud Authentication Service Offline Authentication 17

RSA Authentication Manager Offline Authentication 19

User Account Control Support 19

Co-Existence Support of RSA Windows Agents 19

Unlock with Windows Password Support 20

Configure Prompt for Windows Password Order During Authentication 20

Options to Customize RSA MFA Agent 20

Supported Authenticators for RSA Authentication Manager 21

Chapter 2: Preparing for Installation 23

Supported Operating Systems 24

Supported FIDO2 Security Keys 24

Cloud Authentication Service Requirements 25

RSA Authentication Manager Requirements 25

Supported Third-Party Remote Access Products 25

Remote Access Support 25

Preparations to Install MFA Agent 26

Set Up RSA SecurID Access Authentication 26

Set Up Cloud Authentication Service 26

Set Up RSA Authentication Manager 27

Import the Trusted Root Certificate for RSA Authentication Manager 28

Import a Trusted Root Certificate Using Microsoft Management Console 28

Import a Trusted Root Certificate Using a PowerShell Command Prompt 29

Create a Group of Users to Challenge with RSA SecurID Access Credentials 29

Prepare Users for RSA SecurID Access Authentication 30

Prepare Users for Cloud Authentication Service 30

Prepare Users for RSA Authentication Manager 30

Configure Passwordless Authentication 30

Create a Group of Users to Challenge with Passwordless Authentication 30

GPO Configuration Settings 31

Manage FIDO2 Security Keys 32

Authentication Flow of Passwordless Authentication 33

Users' First Authentication 33

Users' Subsequent Authentications 33

Revoke Smart Card Sign-In Certificate 34

Revoke Using Certificate Authority 34

Revoke Using Certutil Command 35

Renew Smart Card Sign-In Certificate 35

Set the Certificate Validity Period 35

User Authentication Flow 36

Chapter 3: Installing RSA MFA Agent 37

Install the Product on a Single Computer 38

Required Certificates for the Cloud Authentication Service 38

Required Certificates for RSA Authentication Manager 39

Challenging All Users Except Administrators 39

Passwordless Authentication (Primary Authentication) 39