vSphere 2FA integration with RSA SecurID Authentication fails due to load balancing issue for RSA Authentication Manager
search cancel

vSphere 2FA integration with RSA SecurID Authentication fails due to load balancing issue for RSA Authentication Manager

book

Article ID: 315349

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
RSA 2FA authentication fails when attempting to login to vCenter

In this example in the vmware-sts-idmd.log for a three server RSA implementation you observe only two of the three servers being utilized :
*NOTE* This is dependent on RSA server implementation, three servers are used in the below example but is not limited to this value

[2018-12-11T17:42:35.077-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 FATAL] [b] RSA Authentication API for Java v8.5.0.0.0[1148] started
[2018-12-11T17:42:35.077-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] sdopts.rec doesn't exist
[2018-12-11T17:42:35.078-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] securid doesn't exist
[2018-12-11T17:42:35.087-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AuthSessionFactory} Initializing Configuration data
[2018-12-11T17:42:35.091-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected
[2018-12-11T17:42:35.092-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] Updating the retry count to totalServers-1
[2018-12-11T17:42:35.093-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] MaxRetry: 2 Total Servers: 3
[2018-12-11T17:42:35.106-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] isDNSScanEnabled:false
[2018-12-11T17:42:35.106-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] isDNSScanEnabled:false
[2018-12-11T17:42:35.107-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {Realmconfig.updateVersionInfoFromSdconf} Sdconf length = 2850
[2018-12-11T17:42:35.108-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler::processLoadBalancingSettings}Dynamic Load balancing chosen
[2018-12-11T17:42:35.108-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler.enumerateServerList} Resolving host: 192.168.1.1
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler.enumerateServerList} adding address: 192.168.1.1
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler.enumerateServerList} Resolving host: 192.168.1.2
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler.enumerateServerList} adding address: 192.168.1.2
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {AgentConfigHandler::processLoadBalancingSettings}Enumerating Avoid hostnames list
[2018-12-11T17:42:35.109-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected
[2018-12-11T17:42:35.110-05:00 vsphere.local        3df8d2d6-9449-4de5-b800-db23f51fda20 INFO ] [b] MaxRetry: 1 Total Servers: 2


Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x

Cause

This due to a known issue in the RSA Authentication Agent API resolved in version 8.6. vSphere 6.x currently utilizes RSA Authentication Agent API 8.5

Resolution

This is a known issue in vSphere 6.x.  There is currently no resolution.

Workaround:
To work around this issue you can include the optional -sdOptsFile flag and sdopts.rec configuration to manually load balance between RSA Authentication servers. Ensure you have valid backup before proceeding:

1. Manually create sdopts.rec file and specified servers with priority levels. See https://community.rsa.com/docs/DOC-46997

cat /root/sdopts.rec
USESERVER=192.168.1.1,10
USESERVER=192.168.1.2,8
USESERVER=192.168.1.3,5


2. Reconfigure with sdopts.rec using -sdOptsFile flag
cd /opt/vmware/bin
./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter65.domain.corp -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec


3. Restart the vmware-sts-idmd service
service-control --stop vmware-sts-idmd
service-control --start vmware-sts-idmd


For More information, see: Upgrading to VCS 7.0, Smart Card & RSA SecurID Authentication stops