• Multiple RSA Managers are listed for failover in the sdconf.rec
• One or more RSA Managers have been rebooted
• One of more RSA Managers have been upgraded

vCenter 8.x

vCenter negotiates a MessageKey with RSA Manager. When RSA Manager is upgraded or rebooted, RSA Manager loses track of the valid MessageKey vCenter negotiated. vCenter does not renegotiate the MessageKey until key expiry (default 8 hours).

Option 1 - Restarting vCenter STS forces vCenter to negotiate a new MessageKey immediately, resolving authentication issues without waiting up to 8 hours for key expiry.

Option 2 - Disable the RSA SecurID authentication on vCenter Server. 

Customers can use MFA through federated authentication. See here for more information on configuring federated authentication.

Note, VCF 9.0 removes the support for the RSA SecurID authentication method.

Contact RSA support for further assistance, see vCenter RSA ready Implementation Guide.

vSphere 2FA integration with RSA SecurID Authentication fails due to load balancing issue for RSA Authentication Manager