000031557 - Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 9, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031557
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: IBM WebSEAL 6.1.1.x
Platform (Other): IBM Security Access Manager (formerly called IBM Tivoli Access Manager)
Issue
  • Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x.
  • If the token is not in Next Tokencode Mode or New Pin Mode, authentication is successful.
  • Underlying the IBM WebSeal is the RSA Authentication Agent for PAM.
  • Both Next Tokencode Mode and New PIN Mode work as expected with the PAM acetest utility.
  • Therefore, the problem is specific to using WebSEAL.
CauseIBM WebSEAL is not configured to maintain the session setting needed for RSA Agent API to complete multi-transactions like Next Tokencode Mode and New PIN Mode.
ResolutionTo resolve the issue, follow the steps below.
  1. Create a new setting in the WebSEAL configuration.


create-unauth-sessions = yes


  1. Restart the WebSEAL application.

This will allow for successful authentications when a token is in either Next Tokencode Mode or New PIN Mode.
 
NotesNote that the create-unauth-sessions = yes setting only works in WebSEAL version 6.1.1.9 or later.
If consulting with IBM Support, reference IBM PMR 40092,122,000 for more information.

Attachments

    Outcomes