Hello,
I am testing a Siteminder Policy Server 12.51 + CA Secure Proxy Server that perform SecurID authentication with the RSA ACE server.
The SecurID authentication (PIN+token code) works well if the user's PIN has already been defined.
However if the PIN is not defined yet or requires a change, the authentication fails.
In this latter case the user should enter only the token digits and be prompted with a New PIN dialog asking to define a new PIN.
The New PIN dialog does not appear and authentication fails.
The RSA server trace log shows that Siteminder submit credentials to RSA, but when RSA invokes the New PIN mode, Siteminder cancels the New PIN Mode. ("new PIN mode cancelled"). Instead, Siteminder resends again a new authentication attempt with the same token code, which produces a "token reuse detected" error and authentication failure.
The New PIN worked with the very same Siteminder server a couple of weeks ago but for some reason is not working anymore.
The New PIN mode still works well if we test it with the local native Windows RSA Agent set up on the Policy Server.
So this is not the RSA server problem or token/user-related issue.
The server clocks are synchronized.
What may be wrong?
Thank you