RSA server time out of sync and users prompted for next token code or authentication failing

If the RSA server time is out by more than 3 minutes you will find some users completely failing to authenticate and some being prompted for the next token code. Once you correct the server time it is good to resynchronize all the tokens. I have run this batch job on a windows server but I’ll include instructions for UNIX based and appliance as well.


1. From command prompt run:
C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil sync-tokens -I
2. You’ll be prompted for a a few bits of information including the path for the output file. The whole process should look like this:

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805
Copyright (C) 2008 RSA Security Inc. All rights reserved.

Enter the absolute path for the output report file               : c:\sync.txt
Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection                [ (all) | file ]: all
Choose a token filter          [ assigned | unassigned | (both) ]: both
What action do you wish to perform?           [ (list) | modify ]: modify
Enter type of clock offset value  [ absolute | relative | (none)]: absolute
Enter clock offset value                                      [0]: 0
Do you want to reset the Next Tokencode Mode?             [ y/n ]: y
Do you want to reset the last login date and time?        [ y/n ]: n
Do you want to clear user lockout information?            [ y/n ]: y
Enter administrator user ID                                      : admin
Enter administrative password                                    : ***********

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805
Copyright (C) 2008 RSA Security Inc. All rights reserved.
Started job on Wed Aug 20 10:19:51 EDT 2008 with ID = ims.e07c584ba263650a018d923bd0ac085d

3. That’s all you need to do. You can check the output file to get a list of tokens that were modified and their current status.

RSA Authentication Manager 7.1 – Applicance and UNIX based

I haven’t tried this so don’t take my word for it but it is the procedure from RSA support so hopefully not completely useless.

1. Connect to the Appliance using the console or an SSH client. (For remote access using an SSH client, verify in the RSA Operations Console that the Appliance is enabled for SSH connectivity.)
2. Log on using the emcsrv account and the Operating System password.
3. Switch users to root. Run: sudo su
4.When prompted, enter the Operating System password.
5. Switch users to rsaadmin. Run:su rsaadmin
6. Set the current directory to the folder that contains the RSA utilities.
Run: cd /usr/local/RSASecurity/RSAAuthenticationManager/utils
7. Set the environmental variables. Run: . ./rsaenv (This command begins with a period, space, period, and forward slash)
8. Set the correct time on the RSA Authentication Manager server.
9. Synchronize the tokens:
10. (Recommended) Create a text file where you can write output from the command. On the Appliance, a convenient location is /tmp/sync.txt.
11. Run: ./ rsautil sync-tokens -I (Run this command as rsaadmin.)