000038036 - User password not saved when password integration is implemented with RSA Authentication Agent for Citrix StoreFront when logging with Risk Based Authentication in RSA Authentication Manager 8.4

Document created by RSA Customer Support Employee on Oct 8, 2019Last modified by RSA Customer Support Employee on Oct 8, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038036
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0
IssueRSA Authentication Manager does not save the user password when password integration is implemented with RSA Authentication Agent for Citrix StoreFront, when logging into StoreFront with Risk Based Authentication. User experiences password prompt repeatedly.

Enable verbose logging on RSA Authentication Manager and perform a RBA authentication.
You will notice below errors in opt/rsa/am/server/logs/imsTrace.log.

2019-04-11 10:58:56,440, [OARequestHandler1], (DataObjectAccessSql.java:552), trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, ERROR, sprsaam.saintpetersuh.com,,,,failed to lookup domain object of class:class com.rsa.authmgr.internal.admin.principalmgt.dal.AMPrincipal by GUID:e4263e071500cb0a1b2f26efd6e2c7a6
2019-04-11 10:58:56,441, [OARequestHandler1], (OAProcessor.java:1), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, sprsaam.saintpetersuh.com,,,,Unexpected exception during processing: PW_UPDATE_NOT_ALLOWED
com.rsa.authmgr.internal.oa.OAException: User 'venjbeverly' or agent '10.200.48.46' could not be found.
  at com.rsa.authmgr.internal.oa.engine.PasswordProcessor$1.doOperation(PasswordProcessor.java:14)
  at com.rsa.authmgr.internal.oa.engine.db.OACallback.doInTransaction(OACallback.java:5)
  at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
  at com.rsa.authmgr.internal.oa.engine.db.DBUtil.doInTransaction(DBUtil.java:13)
  at com.rsa.authmgr.internal.oa.engine.PasswordProcessor.doRun(PasswordProcessor.java:13)
  at com.rsa.authmgr.internal.oa.engine.OAProcessor.run(OAProcessor.java:47)
  at com.rsa.authmgr.internal.oa.RequestReceiver.a(RequestReceiver.java:45)
  at com.rsa.authmgr.internal.oa.RequestReceiver$1.run(RequestReceiver.java:4)
  at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:80)
  at com.rsa.security.SecurityContext.doAs(SecurityContext.java:412)
  at com.rsa.authmgr.internal.oa.RequestReceiver.handleConnection(RequestReceiver.java:98)
  at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerTask.run(TCPServer.java:689)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  at java.lang.Thread.run(Thread.java:748)
  at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerThread.run(TCPServer.java:764)
2019-04-11 10:58:56,442, [OARequestHandler1], (RequestReceiver.java:44), trace.com.rsa.authmgr.internal.oa.RequestReceiver, ERROR, sprsaam.saintpetersuh.com,,,,Error handling OA request
com.rsa.authmgr.internal.oa.OAException: User 'venjbeverly' or agent '10.200.48.46' could not be found.
  at com.rsa.authmgr.internal.oa.engine.PasswordProcessor$1.doOperation(PasswordProcessor.java:14)
  at com.rsa.authmgr.internal.oa.engine.db.OACallback.doInTransaction(OACallback.java:5) 
CauseThis issue has been reported in defect AM-33846 (RSA Authentication Manager does not save the user password when password integration is implemented with RSA Authentication Agent for Citrix StoreFront, when logging into StoreFront with Risk Based Authentication).
ResolutionThis issue has been resolved in RSA Authentication Manager 8.4 patch 4. However, password integration works for only users added in Authentication Manager after installing the patch. Users existing in the database prior to installing patch 4 will still continue to experience the password prompt though the password integration is enabled when logged in with Risk Based Authentication. The workaround for users existing prior to the installation of patch 4 is to edit a user record and save it. That will create the additional space to save the password in RSA Authentication Manager. 

To do this,
  1. Login to the Security Console on the primary.
  2. Navigate to Identity > Users > Manage Existing.
  3. Search for your user(s).
  4. From the context arrow, click Edit.
  5. Without making changes, click Save.
WorkaroundAfter assigning the user an RBA token,
  1. Click the user name again. 
  2. In the drop down menu click User Authentication Settings.
  3. Put a check in Clear cached copy of selected user's Windows credentials then click Save.

Doing this creates the additional user data in the am_principal table and password integration works. Simply, if a user record is edited and closed it also helps.

Attachments

    Outcomes