Title	RSA ClearTrust users occasionally unable to authenticate using valid username and password

URL Name	a23160-RSA-ClearTrust-users-occasionally-unable-to-authenticate-using-valid-username-and-password

Summary

Validation Status	Work in Progress

Age	7,163.96

Translate To

Applies To

RSA ClearTrust 5.5.2 Authorization Server (AServer)
Microsoft Windows 2000 Professional SP4
Microsoft Active Directory

Issue

RSA ClearTrust users occasionally unable to authenticate using valid username and password
The auth server log file indicates the following error message even though the username and password were entered correctly:

"result_code=1,result_action=Authentication Failure,result_reason=Unknown User

Cause

This failure can happen due to a problem with the way the bind authentication pool that is used to authenticate users to the AD datastore is maintained. Users who enter a wrong userid will have their connection returned to the pool without clearing the "bad" bind. A subsequent bind by a legitimate user on one of these connections would result in the user being prompted again for authentication. Normally, only very few users would ever encounter this situation, but it is possible under unusual conditions for a larger number of users to be affected.

Resolution

This issue is resolved in hot fix 5.5.2.42 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.

NOTE: The "Unknown User" message does occur normally in the AServer log file. Only a disproportionately large number of these login failures over a short period of time indicates a potential problem.

For more information, see solution badPwdCount incremented multiple times in Active Directory for a single failed attempt at logon to RSA ClearTrust.

Workaround

ClearTrust is configured to user "Bind Authentication" with cleartrust.data.ldap.password.validate_with_connect = True

Notes

Legacy Article ID 000021491

Audience	External

Article Source	Conversion

Original Article Author	istaines

Original Created Date	9/22/2004 7:13 PM

Owner	Admin6 Integration (R3 Propel)

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Publication Status	Published

Article Type	Knowledge

Article Number	000058271

Created By	Admin6 Integration (R3 Propel)

Last Modified By	Katrina Nash

Language	English