000038319 - Users unable to authenticate with LDAP password on both Security Console and Self-Service Console for RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jan 7, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038319
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
  • Users are unable to authenticate with LDAP password on both the Security Console and Self-Service Console for RSA Authentication Manager 8.x.
  • Authentication methods are correctly set for both the Security Console and Self-Service Console from the System Settings page.

User-added image


  • The connection to the LDAP server is LDAP and not LDAP over SSL (LDAPS);

User-added image


  • Users are able to login with the same LDAP password on other non-RSA applications successfully.
  • The imsTrace.log in Verbose mode shows the following messages:

2019-08-02 00:59:20,077, [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'
(MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, rsadc.mynetwork.lan,,,,Method
returned response AuthenticationContextImpl[brokerState=in_progress,methodState= <null>,sessionCtx=
<null>,methodAuthenticationState=failed,netAddress=/10.X.X.X,agent=
<null>,zombieSession=false,authenticationState=<null>,requestHiddenParameters={},principalId=
<null>,usingTransientSession=false,desiredPolicyGuid=c56399a2749110ac00d44d644862f5b2,session=[SessionImpl
id=bbbc6b793685920a7329459e9ac6cfda-6dc7YUJUdiKp creationTime=1564729140799
principal=null],identitySourceGuid=332bf2683685920a627511bb3f9e8ffd,principalGuid=
<null>,authenticationPolicy={security level : 1, policy expression :
RSA_Password/LDAP_Password/SecurID_Native},directRequest=false,sessionChoiceAction=0,newAuthInfo=
<null>,emergencyAuthentication=false,responsePromptParameters=
[],principal=Principal{key=457f56a23685920a21a27a954f9c83a3, userID='RSAUSER', firstName='FirstName',
middleName='null', lastName='LastName', email='RSAUSER@example.com', beginDate=null, inactiveDate=null,
lastLogin=Fri Aug 02 00:17:58 MDT 2019, certDN='null', description='null', password='*****', enabled=true,
identitySource=332bf2683685920a627511bb3f9e8ffd, securityDomain=000000000000000000001000e0011000,
identitySourceKey='cn=RSAUSER,ou=users and groups,dc=mynetwork,dc=lan', rowVersion=71,
lastUpdatedBy='superadmin', lastUpdatedOn=Mon Jul 22 07:54:58 MDT 2019, startDate=Mon Nov 23 00:24:17 MST
2015, expirationDate=null, registrationFlag=true, impersonatableFlag=false, impersonatorFlag=false,
failPasswordCount=1, failPasswordDate=Fri Aug 02 00:58:50 MDT 2019, changePasswordFlag=true,
changePasswordDate=Sat Apr 13 00:13:11 MDT 2019, lockoutFlag=false, expireLockoutDate=Mon Jul 22 07:54:58
MDT 2019, attributes=null, authenticators=[ 1, 3 ], administrator=true, securityQuestionsAnswers=null,
securityQuestionsRequiredAuthn=3, securityQuestionsRequiredReg=0, securityQuestionsLocaleLanguage=null,
securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null, firstRBAuthenticationDate=null,
lastUsedSecondaryAuth=-1},agentDetails=<null>,userDetails=<null>,authnPolicyDetails=
<null>,credentialValidation=false,message=<null>,transactionContext=<null>,step=
<null>,sessionId=bbbc6b793685920a7329459e9ac6cfda- 6dc7YUJUdiKp,desiredAuthenticationMethodId=LDAP_Password,
authenticator=com.rsa.ims.admin.Authenticator@3a84b9ee,gradedAuthenticationRequest=true,
emergencyAuthenticationRequest=false,responseHiddenParameters=[]]

 

CauseUsers who were internal users that were migrated from the internal database to an external identity source using the export and import tool from the Security Console (Administration > Export/Import Tokens and Users Export Tokens and Users). These affected users had the  Force Password Change flag turned on while they were internal users. 

A check of the User in Edit mode within the Security Console shows the Force Password Change flag is enabled for the affected users.
User-added image


Trying to uncheck the option for the Force Password Change flag throws the following error:
User-added image
Workaround

Take a full backup of the database from the Operations Console (Maintenance > Backup and Restore > Backup Now) or take a snapshot of the virtual server.


 

  1. Launch an SSH client, such as PuTTY
  2. Login to the primary Authentication Manager server as rsaadmin either at the local console or secure shell. If it is not already configured, see Enable Secure Shell on the Appliance.


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter the operating system password>
Last login: Mon Oct 17 12:11:02 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am


  1. Navigate to /opt/rsa/am/utils.
  2. Capture the database password string, entering the Operations Console administrator and password when prompted.


rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password                                            
Please enter OC Administrator username: <enter the Operations Console administrator name>
Please enter OC Administrator password: <enter the Operations Console administrator password>
com.rsa.db.dba.password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


  1. Connect to the PostgreSQL database.


rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password string captured from Step 4 above>
psql.bin (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

db=#


  1. Run the following SELECT query from the db# prompt:


db=# SELECT change_password_flag, loginuid, id FROM ims_principal_data WHERE loginuid = '<Affected UserID>';


The affected users will have the change_password_flag column set to true.


  1. Run the following UPDATE query from the db# prompt


db=# UPDATE ims_principal_data SET change_password_flag = 'false' loginuid = '<Affected UserID>';


  1. Run the SELECT query from step 6 again for the user and confirm that the change_password_flag is set to false.
  2. Perform a quick search for previously affected users from the Security Console and ensure that force password change flag is disabled for the affected users.
  3. Try to authenticate with LDAP password on both Security Console and the Self-Service Console for RSA Authentication Manager 8.x and the authentication should be successful.
  4. For bulk affected users run the following UPDATE query (remove the CRLF when typing this query):


db=# UPDATE ims_principal_data SET change_password_flag = 'false' WHERE change_password_flag = 'true'
AND identity_src_id IN (SELECT id FROM ims_identity_source WHERE internal_store = false);


 

Attachments

    Outcomes