05-18-2022 12:51 PM
We are trying to implement RSA SecurID MFA across our infrastructure, specifically to lock down VPN, cross zone traffic, and essential network assets. On the Window servers and some of the more sensitive mobile devices (Windows laptops) we are installing the RSA SecurID Windows MFA Agent.
The RSA MFA works fine if GlobalProtect is not installed on my test laptop. If GlobalProtect is installed the MFA challenge fails to be presented on login or unlocking a session. When I look at the login options on the Windows Hello prompt for logging in, GlobalProtect is presented first, then RSA Windows MFA Agent. MFA does work when bringing up the VPN or hitting the VPN portal with the browser.
I don't believe it is a DNS or routing issue, the problem still presents itself when the laptop is on the physical network and VPN is not being used. It might simply be a sequencing issue with GP getting in the way some how.
Any ideas on solutions, causes, or settings I need to change? Googling and searching the knowledge bases here and at RSA have yielded nothing.
-Freeman Pascal, Rhinocorps, Ltd CO.
05-18-2022 02:06 PM
I think I found the solution. If someone can confirm it's the right solution, I would appreciate it.
The Group Policies under Local Computer Policy -> Computer Configuration -> Administrative Templates -> RSA Desktop -> Confidential Provider Filter Settings include a setting called Exclude all third-party Credential Providers. Normally this is disabled, enabling the setting now will allow Windows Hello to prompt for the MFA challenge.
Oddly, it seems to only apply to the Windows Hello prompt and not when unlocking a session. The MFA challenge is still not presented when unlocking a session.
04-18-2023 08:21 AM
Hi - We are running into the same issue. Did you happen to figure out the cause and fix?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!