000037843 - Error: Failed to connect to Identity Router, RSA SecurID Access Authenticate app tokencodes fail with an RSA Authentication Manager protected resource

Document created by RSA Customer Support Employee on Aug 21, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037843
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 4
IssueRSA SecurID Authentication Manager is connected to the Cloud Authentication Service.
Attempting to authenticate to an Authentication Manager protected resource using an Authenticate App tokencode results in an authentication failure. 
The following error is shown in the: Security Console Reporting >  Real-time Activity Monitors System Activity Monitor:

        Error: Failed to connect to Identity Router
CauseThis can occur in a scenario where the following three conditions are met:
  1. Authentication Manager is connected to the Cloud Authentication Service by setting up the configuration under: Security ConsoleHome > Connect to the Cloud Authentication Service.
  2. Authentication Manager is also configured to send the Authenticate tokencodes to the Cloud Authentication Service through the identity router(s) under: Operations Console > Deployment Configuration > RSA SecurID Authenticate App.
  3. Authentication Manager is no longer able to successfully communicate with an identity router as needed for the configuration of (2) above. This can be verified by using the Test Connection button on the Operations Console > Deployment Configuration > RSA SecurID Authenticate App page. (If there are any replica Authentication Manager servers in the environment, the connection should also be tested from each replica's Operations Console to verify the connection to the identity router(s) from that particular Authentication Manager instance.)
ResolutionThere are two ways to resolve this:

        Solution 1: Disable the configuration that allows Authenticate app tokencodes to be sent from the Authentication Manager to the Cloud Authentication Service through the identity router(s). This can be done by going to: Operations Console > Deployment Configuration > RSA SecurID Authenticate App and unchecking the "Allow authentication using Authenticate Tokencodes" option. Then save these settings.

With this option disabled, the Authenticate tokencodes will no longer attempt to be sent to the Cloud Authentication Service through the identity router(s) but will instead be sent using Authentication Manager's direct connection to the Cloud Authentication Service.

        Solution 2: Resolve the connection issue between the Authentication Manager server(s) and identity router(s) to allow the Authenticate tokencodes to be sent to the Cloud Authentication Service through the identity router(s).

Attachments

    Outcomes