9
8. Known Issues
1. Node Secret Permissions
If the Web Interface does not have permission to write the node secret into the registry,
authentication will succeed once, then fail with a “Node verification failure”. If the node secret is
cleared from the Authentication Manager console, authentication will again succeed one time. This
happens due to the fact that the RSA Authentication Manager sends the node secret to an agent host
following the first successful authentication from that host. From that point on, the RSA
Authentication Manager requires all traffic from that host to be protected using the supplied node
secret.
Previously, simply installing the RSA Authentication Agent prior to installing the Web Interface was
enough to guarantee that the permissions for node secret were modified correctly. Under Windows
2003 and IIS 6.0, this does not appear to be the case. Currently, the local machines ASP.NET
account (ASPNET), Internet Guest account (IUSR_machinename), and the Launch IIS Process
Account (IWAM_machinename) are required to have full access to the node secret key. Information
concerning this issue is also available from the Citrix support site, in document CTX102226, titled
“Error: The credentials supplied were invalid. Please try again”
2. Invalid PIN not rejected
During certification testing, it was noticed that the Web Interface was not properly validating user
entered PINs. When system settings on the RSA Authentication Manager were modified to restrict
PINs to between 5 and 7 digits, the Web Interface accepted PINs of length 4 and 8. These PINs are
rejected by the RSA Authentication Manager, but no error is returned to the user, leaving them in a
confusing state. Also, when alphanumeric PINs are disabled, the same behavior is exhibited.
The easiest work-around for this issue is to use system-generated PINs.