5

Apparently, on Windows machines where "RSA Authentication Agent" is installed, it's possible to leverage that to provide authentication services. It seems there's some documentation/SDK somewhere for doing this. It seems it's possible to statically link this functionality in, or load it dynamically by calling some functions exported from "aceclnt.dll".

However, since RSA's website was moved to emc.com, all links to old site are dead. I can't find the docs anywhere on the new site. Please help me google this!

We can trivially use SecurID authentication in our application on UNIX/Linux, via PAM. It's only on Windows where we need to use some special SecurID API to query whether to accept/reject the credentials.

Nicholas Wilson
  • 9,435
  • 1
  • 41
  • 80

2 Answers2

6

If you have a support account...

It is not that trivial, especially using the C SDK, which you will be using with aceclnt.dll. Many API calls are asynchronous, which means you must call and poll for the answer. Most/All traffic is encrypted, Wireshark is of little help.

But to get the files, I you must have a support account (I have one and used it to confirm with RSA).

From the RSA Authentication Agent API 8.1 SP2 for C release notes :

The RSA Authentication Agent application programming interface (API) for C enables developers to integrate RSA SecurID into custom or third-party applications. The API is available for download on RSA SecurCare Online at https://knowledge.rsasecurity.com as a .tar and a .zip file.

The exact URL for the C SDK is https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8635

Starting with Authentication Manager 7.1, there is a new Java, Python and C# API. There much easier to work with. I have use the Java version successfully for token management and user authentication.

The URL for the Authentication Manager SDK Python, Java and C# SDK is https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8205.

Posting the files would void my support account, but others have posted sample code. It is in Python, but Java and C# objects names are the same.

Something else to try : RADIUS

Your server can be a RADIUS client. Integrate a RADIUS client library to your code and send the PIN and token code to the SecurID server. It will do the validation. As a bonus, you will be ready to support other RADIUS based authentication services.

Keep in mind that you will be validating a PIN and tokencode. In most/all configurations, the PIN will be different that the Windows password.

You must call the SecurID server with that information because there is no way to tell which part is the pin and which part is the tokencode. Tokencodes are not always 6 digits and PIN can be numeric, too. Or maybe the user has not set a PIN yet, etc.

There is a generic back and forth mechanism in RADIUS that you can also support. It will be used to prompt the user for his next token code, change his PIN, etc. You server, acting as a RADIUS client, will be moving the information back and forth from the client to the server until it is satisfied. You can then consider authentication completed. You can use NTRadPing to test.

ixe013
  • 9,559
  • 3
  • 46
  • 77
  • Do you need a support account just to access the docs for the API? – snibbets Dec 06 '12 at 01:13
  • 2
    Yes @snibbets, you need a support account. I updated my answer: I had checked with RSA since writing it the first time. – ixe013 Dec 06 '12 at 02:51
  • Actually, I think you're consfusing 2 things here. The "RSA SecurID SDK" allows you to integrate an application to talk directly to the Auth.Manager server, without having to talk to the local OS authentication system - and that's the docs you need a SecurCare account to access. What the OP is refering to is using the Unix SecurID PAM module, or the "Windows SecurID Agent", that is freely available for download at http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm. Hope this helps!! – JJarava Feb 14 '13 at 16:10
  • True, I used the SDK to talk to to the Authentication Manager (including token code validation). The way I read the question though an agent was not enough *integration*. – ixe013 Feb 14 '13 at 16:22
  • OK, maybe I'm confused here, but maybe not. I'm running a daemon on a Windows machine; users send me their Windows passwords and the thing on the token. I need to check both before allowing them to log on. `LogonUser` only accepts a single factor. I have to call a function from a SecurID-specific DLL to get TFA, right? Unlike on Unix, there isn't a general mechanism for doing a two-factor logon, so I have to integrate directly with a specific solution? It would be the same for fingerprint, for example. – Nicholas Wilson Feb 14 '13 at 17:15
  • I'm not totally mad: here's another application doing exactly what I want to do: http://www.ssh.com/manuals/server-win-admin/44/RSA_SecurID.html. I enrolled in the "RSA Partner Programme" last month because the told me point-blank they can't send me the API documentation for their DLL unless they're paid gobloads of money to "certify our solution". Is this true? I still don't have a page of docs from them, so don't even know if the thing I've bought what I want. Can I simply not even get a list of functions in their Authentication Agent's DLL without paying? – Nicholas Wilson Feb 14 '13 at 17:22
  • Note that I have a pile of RSA tokens here in front of me, happily working with some client software on Windows/Unix boxes and some software or a domain controller. Buying a working system doesn't get you a SecureCare account though to read their documentation for the DLL I have installed on the clients! – Nicholas Wilson Feb 14 '13 at 17:28
  • 1
    Make your server a RADIUS client to the SecurID server. See updated answer. – ixe013 Feb 14 '13 at 19:55
  • "I have use the Java version successfully for token management and user authentication". That library is also able to assign, reset, release tokens??? – nano_nano Jan 21 '14 at 13:09
  • Yes. You can do everything you can do manualy in the Security Console. Your application's account will need to be assinged a role with enough privileges for the operations you want to perform. – ixe013 Jan 21 '14 at 13:24
  • @ixe013 hi, i'm trying with no success to make my RSA server a radius server, any help of the steps? – ArielB Aug 31 '16 at 10:28
  • @ixe013 - a bit cheeky, but I wonder if I could ask if you're able to comment on a follow-up question, http://stackoverflow.com/questions/42560402/? I do now have the official PDF documentation, but it doesn't seem to be right... – Nicholas Wilson Mar 02 '17 at 18:42
0

Three years later, and the answer has changed: the docs are available for download freely on RSA's website!

https://community.rsa.com/docs/DOC-36840

Without any support contract, you can now download and read the "Authentication Agent API 8.1.1 for C Developers Guide".

Nicholas Wilson
  • 9,435
  • 1
  • 41
  • 80