RSA SecurID Windows MFA Agent stops working when GlobalProtect is installed

cancel
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID Windows MFA Agent stops working when GlobalProtect is installed

L0 Member

We are trying to implement RSA SecurID MFA across our infrastructure, specifically to lock down VPN, cross zone traffic, and essential network assets. On the Window servers and some of the more sensitive mobile devices (Windows laptops) we are installing the RSA SecurID Windows MFA Agent.

 

The RSA MFA works fine if GlobalProtect is not installed on my test laptop. If GlobalProtect is installed the MFA challenge fails to be presented on login or unlocking a session. When I look at the login options on the Windows Hello prompt for logging in, GlobalProtect is presented first, then RSA Windows MFA Agent. MFA does work when bringing up the VPN or hitting the VPN portal with the browser. 

 

I don't believe it is a DNS or routing issue, the problem still presents itself when the laptop is on the physical network and VPN is not being used. It might  simply be a sequencing issue with GP getting in the way some how. 

 

Any ideas on solutions, causes, or settings I need to change?  Googling and searching the knowledge bases here and at RSA have yielded nothing.

 

 

-Freeman Pascal, Rhinocorps, Ltd CO.

 

1 REPLY 1

L0 Member

I think I found the solution. If someone can confirm it's the right solution, I would appreciate it.

The Group Policies under Local Computer Policy -> Computer Configuration -> Administrative Templates -> RSA Desktop -> Confidential Provider Filter Settings include a setting called Exclude all third-party Credential Providers. Normally this is disabled, enabling the setting now will allow Windows Hello to prompt for the MFA challenge.

 

Oddly, it seems to only apply to the Windows Hello prompt and not when unlocking a session. The MFA challenge is still not presented when unlocking a session.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!