000038144 - Error: Unable to perform pre-login process when trying to login to RSA Authentication Manager 8.x Web Tier Self Service Console

Document created by RSA Customer Support Employee on Dec 10, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038144
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type: Authentication Manager, Webtier
RSA Version/Condition:  8.x
IssueThis article explains and provides a solution for issues which are seen when trying to connect to the RSA web tier from the internet. The requests to the web tier are being routed through a load balancer; in this case, Azure App Gateway.

The Authentication Manager server was unable to identify the incoming requests though the the backend instance IP addresses of the Azure App Gateway added under the Virtual Host load balancer page in the Operations Console.
  • On the side of the end user who is trying to access the web tier console from the internet to login, the following error is seen:

Sorry, your request cannot be processed at this time       

User-added image


  • In the /opt./rsa/am/server/ImsTrace.log collected from the Authentication Manager server the following errors are registered:


ERROR 16042 Execute command Administrator “SYSTEM” attempted to execute command “com.rsa.ims.sso.service.CheckAccessCommand” Failure Unexpected exception caught SYSTEM
UNEXPECTED_EXCEPTION Webtier.selfservice.com  XX.XX,XX.XX system.com.rsa.command.CommandServerEngine com.rsa.ims.sso.service.CheckAccessCommand
com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.


  • On the Authentication Manager server System Activity Report (Reporting > Reports > Add New or Manage Existing), the following errors are shown:


com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERRORcom.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by:
com.rsa.common.SystemException: Unable to perform pre-Login process... Caused by: java.net.UnknownHostException: XX.XX.XX.XX:XXXX: invalid IPv6 address at
java.net.InetAddress.getAllByName(InetAddress.java:1170) at java.net.InetAddress.getAllByName(InetAddress.java:1127) at java.net.InetAddress.getByName(InetAddress.java:1077) at
com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:160) at com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:280)
CauseThe error seems to be an issue with the X-forward related configuration on the load balancer. 

The RSA Authentication Manager Server does not expect that the request from the firewall will be sent in the format <IP Address>:<Port> in the header; rather it expects the request contain only the IP address, that is <IP Address>
 
ResolutionTo resolve the issue, remove x-forwarded-for header which is a comma-separated list of IP:port from the load balancer configuration.

For more information please refer to the section entitled "Modifications to the request" in the article from Microsoft on How an Azure application gateway works.
Notes
 

Attachments

    Outcomes