000024036 - Restricted Access Agent Auth Fails for External Active Directory User

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024036
Applies ToRuntime identity source is configured to the parent domain, but the user exist in a child domain.
Runtime identity source is configured to use the Global Catalog, but using port 389 or 636 instead of 3268 or 3269 and the user is not part of the domain the GC is in.
The user is a member of a Universal group and is configured correctly for group restricted access authentication.
IssueAuthentication fails through restricted agent using Active Directory
Runtime Activity Logs message, "Principal does not belong to any groups activated on restricted agent"
System log message, "UNKNOWN_LDAP_EXCEPTION"  javax.naming.PartialResultException
com.rsa.common.UnexpectedDataStoreException: javax.naming.PartialResultException:
[LDAP: error code 10 - 0000202B: RefErr: DSID-0310063C, data 0, 1 access points\n ref 1: 'csau.ap.rsa.com'\n]; remaining name 'cn=smith\, john,ou=users,ou=prem,ou=staff,dc=csau,dc=ap,dc=rsa,dc=com',
    at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getAttrVals(GroupAccessLDAP.java:932),
    at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getMemberOfGuids(GroupAccessLDAP.java:956),
    at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getMemberOfGroups(GroupAccessLDAP.java:978),
    at com.rsa.ims.admin.impl.GroupAdministrationImpl.getMemberOfGroupsForPrincipal(GroupAdministrationImpl.java:2562),
    at com.rsa.ims.admin.impl.GroupAdministrationImpl.getAllGroupsPrincipalBelongsTo(GroupAdministrationImpl.java:2682),
    at com.rsa.authmgr.internal.admin.agentmgt.impl.k.a(k.java:1153),
    at com.rsa.authmgr.internal.admin.principalres.impl.g.run(g.java:688),
    at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:91),
    at com.rsa.security.SecurityContext.doAs(SecurityContext.java:408),
    at com.rsa.authmgr.internal.admin.principalres.impl.a.a(a.java:684),
    . . .
 Description: Administrator ?GateKeeper? attempted to read a group
 Activity Result Key: Warning
 
 Result: UNEXPECTED_LDAP_EXCEPTION
 
 Administrator User ID: GateKeeper
 
 Administrator First Name: Admin
 
Administrator Last Name: Admin
 
 Administrator Security Domain: SystemDomain
 
 Administrator Identity Source Name: Internal Database
 
 Activity Key: Read group
 
Activity Result Key: Warning
 
Instance Name: test.company.com
 
 Client IP: 10.23.12.22
 
 Server Node IP: 199.20.101.72
 
 Component Key: system.com.rsa.ims.admin.dal.ldap.BaseAccessLDAP
 
 Argument 1: MyIdentitySourceName
 
 Argument 2: (& (objectClass=group) (cn=groupname*))
 
 Argument 3: N/A
 
 Argument 4: N/A
 
 Argument 5: N/A
 
 Argument 6: N/A
 
 Exception: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=company,DC=com', at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763), at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737), at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129), at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198), at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171), at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.searchGroup(GroupAccessLDAP.java:588), at com.rsa.ims.admin.impl.GroupAdministrationImpl.search(GroupAdministrationImpl.java:1635), at com.rsa.admin.SearchGroupsCommand.performExecute(SearchGroupsCommand.java:183), at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:75), at com.rsa.ims.command.LocalTransactionalCommandTarget.access$101(LocalTransactionalCommandTarget.java:45), at com.rsa.ims.command.LocalTransactionalCommandTarget$1.doInTransaction(LocalTransactionalCommandTarget.java:193), at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:127), at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:186), at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:543), at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:520), at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:91), at com.rsa.security.SecurityContext.doAs(SecurityContext.java:408), at com.rsa.command.CommandServerEngine.execute(CommandServerEngine.java:307), at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:250), at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:161), at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:174), at com.rsa.command.CommandServerBean.executeCommandManagedTx(CommandServerBean.java:116), at com.rsa.command.CommandServer_qt4u4w_EOImpl.executeCommandManagedTx(CommandServer_qt4u4w_EOImpl.java:136), at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:227), at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:176), at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363), at weblogic.security.service.SecurityManager.runAs(Unknown Source), at weblogic.security.Security.runAs(Security.java:61), at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:52), at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:145), at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:241), at com.rsa.admin.SearchGroupsCommand.execute(SearchGroupsCommand.java:145), at com.rsa.ims.management.console.util.CommandUtil.executeCommand(CommandUtil.java:161), at com.rsa.ims.management.console.common.handler.GroupHandler.executeRetrieveList(GroupHandler.java:163), at com.rsa.ims.management.console.common.handler.AbstractDomainObjectHandler.retrieveList(AbstractDomainObjectHandler.java:338), at com.rsa.ims.management.console.common.action.BaseSearchAction.retrieveList(BaseSearchAction.java:432), at com.rsa.ims.management.console.common.action.BaseSearchAction.search(BaseSearchAction.java:86), at sun.reflect.GeneratedMethodAccessor2572.invoke(Unknown Source), at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25), at java.lang.reflect.Method.invoke(Method.java:585), at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:266), at com.rsa.ui.common.struts.action.RSABaseDispatchAction.execute(RSABaseDispatchAction.java:180), at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:413), at com.rsa.ui.common.util.RSAWebRequestProcessor.process(RSAWebRequestProcessor.java:178), at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1858), at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:459), at javax.servlet.http.HttpServlet.service(HttpServlet.java:727), at javax.servlet.http.HttpServlet.service(HttpServlet.java:820), at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226), at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124), at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283), at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at com.rsa.ims.management.console.security.filter.RSAConsoleSignOnFilter$1.run(RSAConsoleSignOnFilter.java:145), at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:91), at com.rsa.security.SecurityContext.doAs(SecurityContext.java:408), at com.rsa.ims.management.console.security.filter.RSAConsoleSignOnFilter.doFilter(RSAConsoleSignOnFilter.java:141), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at com.rsa.ui.common.filter.UrlValidationFilter.doFilter(UrlValidationFilter.java:133), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at com.rsa.ims.sso.filter.SSOFilter.doFilter(SSOFilter.java:373), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at com.rsa.ui.common.filter.I18NFilter.doFilter(I18NFilter.java:96), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at com.rsa.authmgr.web.console.mmc.MMCNtlmHttpFilter.doFilter(MMCNtlmHttpFilter.java:288), at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42), at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3368), at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321), at weblogic.security.service.SecurityManager.runAs(Unknown Source), at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2117), at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2023), at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1359), at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200), at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
 
 
CauseCause1:
The PartialResultException is generated because the Authentication Manager does not support referrals and was unable to retrieve all the attributes needed.  You will see this message if you connect to a resource that does not contain the user as in the incorrect  connection to the Global Catalog using port 389 or 636 (the user is not local to that domain) or if the user does not exist on the domain controller the Identity Source is mapped too.  The user and group may be valid in a subdomain, but because the Authentication Manager does not support referrals it will fail.
Cause 2:
The answer from LDAP was too large to be transmitted and processed in the time allowed for authentication to occur.
ResolutionSolution for Cause1:
Either configure the Global Catalog Identity source to use port 3268 or 3269 (a real Global Catalog connection) or create domain controller based identity sources for the sub domain that contains the users and groups.  In this case each sub domain would be a separate identity source mapped to the realm.
Solution for Cause2:
A fix has been created to reduce the amount of information retrieved from LDAP while peforming authentications against a restricted agent host.
Legacy Article IDa38946

Attachments

    Outcomes