Using the vCenter Login Banner for RSA SecurID support

In vSphere 6.0 Update 2 we added the capability to use RSA SecurID for two-factor authentication (2FA) in to the web client (only). I wrote about that in a two part blog series. Part 1 and Part 2

I recently got an email from a customer asking me about the implementation of the RSA SecurID Agent in vSphere and that prompted this blog.

The initial inquiry was around SecurID PIN resets and the customer asked: “It seems like vSphere doesn’t support PIN resets. How can I help my folks who are logging in to vCenter if their PIN is expired?”

In this blog I’ll show you how editing the Login Banner can help you get your users to the right page to reset their RSA SecurID PIN.

RSA Authentication Agents Overview

In general terms, the component that speaks to the RSA Authentication Manager on the object you are protecting is called an RSA Authentication Agent. This comes in a number of forms.  RSA supplies their own agent software for popular web servers and applications. They also provide Agent libraries for 3rd parties like VMware to integrate into their own solutions, like vCenter or VMware Horizon View.

If you install RSA’s web agents on Apache or IIS, it comes pre-loaded with a bunch of pages that manage PIN expiration and resetting. If you log in to a website protected by SecurID and your PIN has expired, it will lead you through a workflow to reset the PIN. See the example below:

vCenter/PSC Integration

The RSA SecurID agent that is integrated into the Platform Services Controller component of vCenter does not support PIN resets. This is not unusual. I used to work at RSA and have seen a large number of 3rd party solutions leverage the RSA SDK’s and don’t support these workflows. There are many reasons but mostly because of the management of additional testing required and that many customers use the RSA Self Service Console to centrally manage PIN resets.

Embedded or External PSC configurations

Configuration of the Login Banner is done not on the vCenter server but on the Platform Services Controller (PSC). In vSphere you can run a PSC as an embedded component of a vCenter Server Appliance (VCSA) or as a external virtual appliance. See Adam’s great breakdown on PSC topology here. If you are running an embedded PSC with your vCenter then¬† you would log in to https://[vCenter]/PSC to make the changes.

If you are running external PSC’s you only need to make the change on one PSC. All changes to the banner will be replicated to other PSC in the SSO domain. This is different from configuring RSA SecurID as I called out in my RSA SecurID for vCenter blog series (Part 1 & Part 2). There you have to configure SecurID on all PSC’s so that any of those PSC’s can service the RSA authentication.

What if my PIN is expired?

If your PIN is expired and in need of reset then when you attempt to log in to vCenter/PSC you will get a failed login prompt. You’ll also be notified that your pin is expired with a notification that says “Please acquire a new pin” That’s expected behavior for any RSA Authentication agent. But where does the user go to reset that PIN? How can I at least direct people to the correct resource for resetting their RSA SecurID PIN?

Login Banner

As I mentioned above, I’m going to use the Login Banner to point people at the RSA Self Service Console for their PIN resets. The Login Banner was introduced (along with RSA SecurID support) in vSphere 6.0 U2. It has a number of options such as “Click for explicit consent”, a title and a message. When displayed on the login page the title is prepended by the words “I agree to“.

You would typically add in the title field “Terms and Conditions” or something similar so that the full sentence “I agree to Terms and Conditions” would be displayed. The words “Terms and Conditions” would then be a hyperlink to the “Messages” dialog box where you can put in additional information.

What I put in my title field was “Terms and Conditions. Click here if you are having RSA SecurID Login issues“.

Now the login box looks like this:

RSA Self Service Console

To get the end user to the RSA Self Service Console, I created a message similar to:

If you have login issues with RSA SecurID, please check that your PIN has not expired. Go to https://rsaselfservice.<company>.com

The hyperlink in the message isn’t active. I’m going to hazard a guess that it’s a security thing! The user logging in to vCenter can just copy/paste the link and open it in another browser tab/window. Here’s what the window looks like this.

I mentioned the RSA Self Service Console. That login process looks like this:

Wrap Up

So, to close this out, we’ve learned a couple of new things.

  1. When your PIN is expired you’ll be notified (I believe this is a change in 6.5)
  2. The Login Banner can be used to help point people at useful information

I hope this was useful information. If you have suggestions on other blog articles or feedback, just send me email at mfoley at vmware or via Twitter to @vspheresecurity or @mikefoley

Thanks for reading!