Article Content
Article Number | 000032125 |
Applies To | RSA Product Set: Adaptive Authentication (OnPrem) RSA Version/Condition: 7.x |
Issue | User is getting a SOAP challenge request error of reason code 1303 in the aa_server log (located in main logs directory on server running AdaptiveAuthentication application, typically /rsa/logs).2015-11-23 10:28:36,249 WARN [WebContainer : 3] [7d35-:d6b07943151:ebe0494] [TRANSID_UNDEFINED] [com.rsa.csd.impl.RsaSessionImpl] - |
Cause | This issue occurs when a challenge SOAP request is issued without that challenge type being authorized by the previous analyze request. It often happens when a soap flow is setup that does not check the soap analyze response actionCode is equal to CHALLENGE and verify the requiredCredentialList before issuing an appropriate challenge request. This issue can occur when someone changes the event type to SESSION_SIGNIN when the flow has policy rules set up under a different event type. Therefore, the intended rule never fires. In a test environment, this error often occurs when no policy rules have been setup, so the analyze request will always fire the "FALLBACK RULE". The challenge was then issued without checking the analyze response. The flow is not checking the results of the analyze soap response for actually always expects a challenge and issues one anyway, causing the 1303 error. |
Resolution | The issue can be determined by reviewing the policy rules against the users having errors in the aa_server log and checking which rule actually fired in the forensic log. Search for the user in the audit and forensic logs by using a SHA-1 hash of the username. Hitting the "FALLBACK RULE" would indicate that either the appropriate policy rule was never created or not created for the event type used in the analyze request. There could also be an issue with the condition on the policy rule that was expected to fire. Verify the policy rules are setup properly in Back Office so when conditions are met a CHALLENGE will be initiated. Ensure your application code is checking the analyze response before issuing a challenge. |