000032125 - SOAP challenge request error of reason code 1303 in RSA Adaptive Authentication (OnPrem)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032125
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
 
IssueUser is getting a SOAP challenge request error of reason code 1303 in the aa_server log (located in main logs directory on server running AdaptiveAuthentication application, typically /rsa/logs).
 

2015-11-23 10:28:36,249 WARN [WebContainer : 3] [7d35-:d6b07943151:ebe0494] [TRANSID_UNDEFINED] [com.rsa.csd.impl.RsaSessionImpl] - 
<No transaction has been created yet.>
2015-11-23 10:28:36,250 ERROR [WebContainer : 3] [] [] [com.rsa.csd.ws.impl.AdaptiveAuthenticationImpl] -
<com.rsa.csd.ws.impl.AdaptiveAuthProcessException: Reason Code: 1303
Description: Invalid Transaction Id Error
Unable to retrieve transaction object w/ transaction id = f344-:f32bec33151:8c86dbc_TRX>
com.rsa.csd.ws.impl.AdaptiveAuthProcessException: Reason Code: 1303
Description: Invalid Transaction Id Error
Unable to retrieve transaction object w/ transaction id = f344-:f32bec33151:8c86dbc_TRX
                at com.rsa.csd.ws.impl.helper.GenericHelper.getTransaction(GenericHelper.java:567)

CauseThis issue occurs when a challenge SOAP request is issued without that challenge type being authorized by the previous analyze request. It often happens when a soap flow is setup that does not check the soap analyze response actionCode is equal to CHALLENGE and verify the requiredCredentialList before issuing an appropriate challenge request.
This issue can occur when someone changes the event type to SESSION_SIGNIN when the flow has policy rules set up under a different event type.  Therefore, the intended rule never fires.
In a test environment, this error often occurs when no policy rules have been setup, so the analyze request will always fire the "FALLBACK RULE". The challenge was then issued without checking the analyze response.
The flow is not checking the results of the analyze soap response for actually always expects a challenge and issues one anyway, causing the 1303 error.
ResolutionThe issue can be determined by reviewing the policy rules against the users having errors in the aa_server log and checking which rule actually fired in the forensic log. Search for the user in the audit and forensic logs by using a SHA-1 hash of the username.
Hitting the "FALLBACK RULE" would indicate that either the appropriate policy rule was never created or not created for the event type used in the analyze request. There could also be an issue with the condition on the policy rule that was expected to fire.
Verify the policy rules are setup properly in Back Office so when conditions are met a CHALLENGE will be initiated. Ensure your application code is checking the analyze response before issuing a challenge. 

Attachments

    Outcomes