RSA SecurID two-factor authentication (2FA) fails when users attempt to log in to VMware vCenter Server 8.0. The issue occurs due to incorrect RSA Authentication Manager (AM) agent configuration or improper Active Directory (AD) user ID attribute mapping in vCenter Single Sign-On (SSO).

Symptoms

• RSA 2FA authentication fails during vCenter login
• Users are unable to authenticate using RSA passcodes
• vSphere Client login page show RSA SecurID option, but authentication fails
• No explicit error message displayed in the vSphere Client
• Authentication attempts fail silently or fall back to other identity sources

RSA 8.x, these logs appear in:
/opt/rsa/am/server/logs/authentication.log
[YYYY-MM-DD HH:MM:SS,410] DEBUG tomcat-http--31 - {updateServerResponseTime} serverLBInfoMap: Key Values: ###.###.###
[YYYY-MM-DD HH:MM:SS,410] DEBUG tomcat-http--31 - {updateServerResponseTime} serviceHostName = ###.###.###, responseTime=22
[YYYY-MM-DD HH:MM:SS,411] INFO tomcat-http--31 - {processAuthnRequest} xmlauthnResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><authn:AuthnResponse ID="#########" InResponseTo="#########" xmlns:gen=" http://www.rsa.com/schemas/###/authentication-generic" xmlns:xmime=" http://www.example.org/###/xmlmime" xmlns:stat=" http://www.example.com/schemas/###/status" xmlns:ws-i18n=" http://www.example.org/###" xmlns:authn=" http://www.rsa.com/schemas/###/authentication"><authn:Status Status=" http://www.rsa.com/###/authentication/status/Complete" Reason=" http://www.rsa.com/schemas/###/authentication/reasons/AccessDenied"><stat:Message>com.rsa.authmgr.internal.admin.principalres.PrincipalResolutionException: Unable to Resolve Principal:No aliases found, unable to resolve principal by alias 

Authentication Method: RSA SecurID (2FA)

This issue occurs due to one or more of the following misconfigurations:

1. Incorrect RSA Agent Hostname
• The RSA Authentication Agent was created with a random or incorrect hostname.
• The agent hostname must exactly match the value used during the vCenter SSO CLI configuration (for example: vc.example.com).
2. Incorrect Active Directory User ID Attribute Mapping
• The RSA user ID attribute was mapped to userPrincipalName while RSA AM was configured to use sAMAccountName.
• A mismatch between the AD attribute used by RSA AM and the attribute configured in vCenter SSO causes authentication failures.

Important Notes:
Snapshot of the vCenter Server Appliance before making any changes.
All commands must be executed as the root user on the VCSA.
Replace domain names and hostnames with values specific to environment.

Phase 1: Clear Existing RSA Configuration from vCenter

1. Connect to VCSA and Navigate to Utility Directory
   #ssh root@<vcenter_fqdn>
#cd /opt/vmware/bin
   
   
2. Disable RSA SecurID Authentication Policy (Critical)
   This step immediately removes the RSA login option from the vSphere Client login page.
   #./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn false

             Verify (Optional):
             #./sso-config.sh -t vsphere.local -get_authn_policy

            Expected output:
            IsSecurIDAuthnEnabled: false

3. Remove the Existing RSA Site Configuration
   This removes the agent hostname, sdconf.rec file, and all RSA-related settings.
   #./sso-config.sh -t vsphere.local -remove_rsa_site
   Verify (Optional):
   #./sso-config.sh -t vsphere.local -get_rsa_config
   Expected behavior: Empty configuration or error indicating no RSA site configured.
   
   
4. Restart vCenter Services (Recommended)
   service-control --stop --all
service-control --start --all

Phase 2: Configure RSA Authentication Manager (AM) 8.8
Note: These actions should be validated by Vendor.
 

1. Create a New Authentication Agent

• Log in to the RSA Security Console
• Navigate to:
  Access > Authentication Agents > Add New
   
• Configure:
• Agent Hostname: vc.example.com
• IP Address: vCenter Server Appliance IP
• Click Save
   

2. Generate the RSA Configuration File

• Navigate to:
  Access > Authentication Agents > Generate Configuration File
• Click Generate Config File
• Download AM_Config.zip
• Extract the ZIP file to obtain sdconf.rec

Phase 3: Reconfigure RSA SecurID on vCenter (VCSA CLI)

1. Transfer the Configuration File
   Copy sdconf.rec to the VCSA
   
   
2. Configure the RSA Site in vCenter SSO
   #cd /opt/vmware/bin
#./sso-config.sh -set_rsa_site -t vsphere.local -agentName vc.example.com -sdConfFile /root/sdconf.rec
   Note: The -agentName value must exactly match the RSA agent hostname.
   
   
3. Enable RSA SecurID Authentication Policy
   #./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
   
   
4. Map the Active Directory User ID Attribute (Critical)
   Identify the exact AD identity source name as shown in vSphere Client.
   Recommended mapping when RSA AM uses sAMAccountName:
   #./sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName example.com -ldapAttr sAMAccountName
   Important:
   Ensure the AD attribute configured here matches the attribute used in RSA Authentication Manager.
   
   
5. Verify RSA Configuration (Optional)
   #./sso-config.sh -t vsphere.local -get_rsa_config
   
   
6. Restart vCenter Services
   service-control --stop --all
service-control --start --all

Phase 4: Testing and Validation

1. Open the vSphere Client login page
2. Log in using an AD user:
• Username: AD username (based on configured attribute)
• Password: RSA passcode (PIN + Tokencode)

Expected Result:
Authentication request is forwarded to RSA AM
User successfully logs in to vCenter using RSA SecurID 2FA

• The vCenter Server uses an embedded RSA agent within the SSO service
• All RSA configuration for vCenter 8.0 must be performed via VCSA CLI
• Incorrect agent naming or attribute mapping is the most common cause of RSA 2FA failures.

For reference documentation: VMware vSphere Authentication with RSA SecurID (vSphere 8.0) (Set Up RSA SecurID Authentication)