Environment
NetIQ Advanced Authentication Framework
NAAF 4.11
NAAF 4.11 HF2
NAAF 4.11
NAAF 4.11 HF2
Situation
Authasas password cache fails intermittently
Caching of passwords on workstation fails intermittently
Users are occasionally prompted for password as well as fingerprint on workstation unlock
Sometimes users are prompted for both password and fingerprint authentication instead of just a fingerprint when unlocking a workstation
Caching of passwords on workstation fails intermittently
Users are occasionally prompted for password as well as fingerprint on workstation unlock
Sometimes users are prompted for both password and fingerprint authentication instead of just a fingerprint when unlocking a workstation
Resolution
Occasional for both configured authentication methods is to be expected in environments with multiple NAAF servers. To minimize its occurrence in multiple server environments, and to prevent it in environments with single NAAF servers, do the following:
1. Make sure the "Enable PIN caching" policy settings in the registry are the same on both server and workstation:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\NetIQ\NetIQ Advanced Authentication Framework\
LastLogonDBEnabled = 1
LastLogonDBExpirePeriod = 480 (default, buy may vary)
2. Make sure NAAF 4.11 HF2 has been applied.
1. Make sure the "Enable PIN caching" policy settings in the registry are the same on both server and workstation:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\NetIQ\NetIQ Advanced Authentication Framework\
LastLogonDBEnabled = 1
LastLogonDBExpirePeriod = 480 (default, buy may vary)
2. Make sure NAAF 4.11 HF2 has been applied.
Cause
When a user authenticates through NAAF a “pin cache” is set on both workstation and server, with a timestamp and specified time to live. This pin cache is not synchronized between NAAF servers. Beginning wIth NAAF 4.11 HF2, the NAAF Client remembers the last accessed
NAAF server and tries to reuse it whenever needed. If the last used server is not
accessible, the local PIN cache will be reset and the user will be
prompted to authenticate using both factors.