vSphere 2FA integration with RSA SecurID Authentication fails due to load balancing issue for RSA Authentication Manager

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
RSA 2FA authentication fails when attempting to login to vCenter.

In this example in the vmware-sts-idmd.log for a three server RSA implementation, only two of the three servers being utilized are observed:

[2018-12-11T17:42:35.077-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 FATAL] [b] RSA Authentication API for Java v8.5.0.0.0[1148] started
[2018-12-11T17:42:35.077-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] sdopts.rec doesn't exist
[2018-12-11T17:42:35.078-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] securid doesn't exist
[2018-12-11T17:42:35.087-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AuthSessionFactory} Initializing Configuration data
[2018-12-11T17:42:35.091-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected
[2018-12-11T17:42:35.092-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] Updating the retry count to totalServers-1
[2018-12-11T17:42:35.093-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] MaxRetry: 2 Total Servers: 3
[2018-12-11T17:42:35.106-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] isDNSScanEnabled:false
[2018-12-11T17:42:35.106-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] isDNSScanEnabled:false
[2018-12-11T17:42:35.107-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {Realmconfig.updateVersionInfoFromSdconf} Sdconf length = 2850
[2018-12-11T17:42:35.108-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler::processLoadBalancingSettings}Dynamic Load balancing chosen
[2018-12-11T17:42:35.108-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler.enumerateServerList} Resolving host: 192.168.1.1
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler.enumerateServerList} adding address: 192.168.1.1
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler.enumerateServerList} Resolving host: 192.168.1.2
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler.enumerateServerList} adding address: 192.168.1.2
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {AgentConfigHandler::processLoadBalancingSettings}Enumerating Avoid hostnames list
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected
[2018-12-11T17:42:35.110-05:00 vsphere.local        3df8d2d6-####-####-####-########a20 INFO ] [b] MaxRetry: 1 Total Servers: 2

Note: This is dependent on RSA server implementation; three servers are used in the above example, but it is not limited to this value.

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x

Cause

This due to a known issue in the RSA Authentication Agent API resolved in version 8.6. vSphere 6.x currently utilizes RSA Authentication Agent API 8.5.

Resolution

This is a known issue in vSphere 6.x. There is currently no resolution.

Workaround:

To work around this issue, include the optional -sdOptsFile flag and sdopts.rec configuration to manually load balance between RSA Authentication servers. Ensure there is a valid backup before proceeding:

1. Manually create sdopts.rec file and specified servers with priority levels. See https://community.rsa.com/docs/DOC-46997

cat /root/sdopts.rec
USESERVER=192.168.1.1,10
USESERVER=192.168.1.2,8
USESERVER=192.168.1.3,5

2. Reconfigure with sdopts.rec using -sdOptsFile flag

Modify step 4 from https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-639F8754-48E1-494B-A232-A8691447C212.html to include the -sdOptsFile flag and configuration file

cd /opt/vmware/bin
./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter65.domain.corp -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec

3. Restart the vmware-sts-idmd service
service-control --stop vmware-sts-idmd
service-control --start vmware-sts-idmd

For More information, see: Upgrading to VCS 7.0, Smart Card & RSA SecurID Authentication stops.