NAAF Users prompted for password that should have been cached

  • 7016854
  • 17-Sep-2015
  • 18-Sep-2015

Environment

NetIQ Advanced Authentication Framework
NAAF 4.11
NAAF 4.11 HF2

Situation

Authasas password cache fails intermittently
Caching of passwords on workstation fails intermittently
Users are occasionally prompted for password as well as fingerprint on workstation unlock
Sometimes users are prompted for both password and fingerprint authentication instead of just a fingerprint when unlocking a workstation

Resolution

Occasional for both configured authentication methods is to be expected in environments with multiple NAAF servers.  To minimize its  occurrence in multiple server environments, and to prevent it in environments with single NAAF servers, do the following:

1.  Make sure the "Enable PIN caching" policy settings in the registry are the same on both server and workstation:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\NetIQ\NetIQ Advanced Authentication Framework\
LastLogonDBEnabled = 1
LastLogonDBExpirePeriod = 480 (default, buy may vary)

2. Make sure NAAF 4.11 HF2 has been applied. 

Cause

When a user authenticates through NAAF a “pin cache” is set on both workstation and server, with a timestamp and specified time to live.  This pin cache is not synchronized between NAAF servers.  Beginning wIth NAAF 4.11 HF2, the NAAF Client remembers the last accessed NAAF server and tries to reuse it whenever needed.  If the last used server is not accessible, the local PIN cache will be reset and the user will be prompted to authenticate using both factors.