000015141 - AxM - AA No Error message when wrong answer given on Security Challenge

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015141
Applies ToRSA Access Manager 6.x
RSA Acecss Manager Agent v4.7.1.x for IIS6
 RSA Adaptive Authentication On Premise
IssueAxM - AA No Error message when wrong answer given on Security Challenge 
 The challenge (ct_challenge.asp) page provides no instructions to the user when they miss the challenge question. It seems that the code is in the page to display the error, but the agent doesn't present an error.
Cause

Currently in AA integration code we handle two or three AA error codes.
Need to expose the error codes to be handled by the integration adapter
cleartrust.adaptive_auth.handled.error.codes=1003,1453,1605
For these error code we display the error description as sent by the AA system.
Rest of the error codes will have a generic error message like 'Unknown error - Please contact administrator'

Since authentication failure in not an AA_OPERATION_FAILED condition it needs a change on the agents.
The changes added to the AA integration will enable passing on error messages ,sent by AA to the agents without code changes.
Extensions can be written if the response messages have to be formatted by writing custom error handlers and configuring them for specific error codes.

The response to authenticate call to AA does not return any such message Incorrect Security Challenge response or a reason code 3401

<ns1:authenticateResponse xmlns:ns1="http://ws.csd.rsa.com">
 <ns1:authenticateReturn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns1:AuthenticateResponse">
  <ns1:deviceResult><ns1:authenticationResult>
   <ns1:authStatusCode>FAIL</ns1:authStatusCode>
   <ns1:risk>0</ns1:risk></ns1:authenticationResult>
   <ns1:callStatus><ns1:statusCode>SUCCESS</ns1:statusCode>
   <ns1:statusDescription></ns1:statusDescription>
   </ns1:callStatus><ns1:deviceData><ns1:bindingType>NONE</ns1:bindingType>
   <ns1:deviceTokenCookie>PMV508w2CYKTqLS4vT9jxGzg4jCqU1bhD8EukjzB%2BU%2FJUeBrIDM9n8kXlyLhTmrzhGPwSu</ns1:deviceTokenCookie>
   <ns1:deviceTokenFSO>PMV508w2CYKTqLS4vT9jxGzg4jCqU1bhD8EukjzB%2BU%2FJUeBrIDM9n8kXlyLhTmrzhGPwSu</ns1:deviceTokenFSO></ns1:deviceData>
  </ns1:deviceResult>

  <ns1:identificationData>
   <ns1:delegated>true</ns1:delegated>
   <ns1:groupName></ns1:groupName>
   <ns1:sessionId>1505e2ac:1298324d230:-7fc8</ns1:sessionId>
   <ns1:transactionId>TRX_1505e2ac:1298324d230:-7fc7</ns1:transactionId>
   <ns1:userName>newuser</ns1:userName>
   <ns1:userStatus>VERIFIED</ns1:userStatus>
   <ns1:userType>PERSISTENT</ns1:userType>
  </ns1:identificationData>

  <ns1:messageHeader>
   <ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
   <ns1:requestType>AUTHENTICATE</ns1:requestType>
   <ns1:timeStamp>2010-06-29 15:22:52.843</ns1:timeStamp>
   <ns1:version>6.0</ns1:version>
  </ns1:messageHeader>

  <ns1:statusHeader>
   <ns1:reasonCode>0</ns1:reasonCode>
   <ns1:reasonDescription>Operations were completed successfully</ns1:reasonDescription>
   <ns1:statusCode>200</ns1:statusCode>
  </ns1:statusHeader>

  <ns1:credentialAuthResultList xsi:type="ns1:CredentialAuthResultList">
  <ns1:challengeQuestionAuthResult>
  <ns1:payload>
   <ns1:authenticationResult>
    <ns1:authStatusCode>FAIL</ns1:authStatusCode>
    <ns1:risk>100</ns1:risk>
   </ns1:authenticationResult>
   <ns1:callStatus>
    <ns1:statusCode>SUCCESS</ns1:statusCode>
    <ns1:statusDescription></ns1:statusDescription>
   </ns1:callStatus>
   <ns1:challengeQuestionMatchResult>
    <ns1:failCount>1</ns1:failCount>
    <ns1:matchCount>0</ns1:matchCount>
   </ns1:challengeQuestionMatchResult>
  </ns1:payload>
  </ns1:challengeQuestionAuthResult>
  </ns1:credentialAuthResultList>

  <ns1:requiredCredentialList>
   <ns1:requiredCredential>
    <ns1:credentialType>QUESTION</ns1:credentialType>
    <ns1:groupName>DEFAULT</ns1:groupName>
    <ns1:preference>0</ns1:preference>
    <ns1:required>true</ns1:required>
   </ns1:requiredCredential>
  </ns1:requiredCredentialList>
 </ns1:authenticateReturn>
</ns1:authenticateResponse>

ResolutionBoth Server side and agent side hot fixes are required for this fix.  Contact RSA Customer Support and request Access Manager Hot fix 6.0.4.50 or higher for the server side and Agent hot fix 4.7.1.8 or higher for the IIS agent. These hot fixes are cumulative.  These fixes will be ported to Access Manager 6.1.2.x  server side and eventually in the 4.9 agents.
Notes
Addition to adaptive_auth-onpremise-6021.conf

##############################################################################

  1. Error / Exception Handling
    ##############################################################################
  1. Specifies the list of error handlers defined for handling error responses
  2. from RSA Adaptive Authentication Web Services . The error handlers will be
  3. responsible for extracting the error information from the response and
  4. sending them back to the RSA Access Manager Agents.
    #
  5. Allowed Values:
  6. A comma separated list of strings that contain no spaces or special
  7. characters. Each name must be unique.
    #
  8. Dependencies:
  9. The name(s) you select here must be reflected in the parameters listed in
  10. the sections below. Each error handler must have its set of required
  11. parameters. If you specify a handler name as 'DataValidationHandler' then
  12. its corresponding parameters will be
  13. cleartrust.adaptive_auth.error.handler.DataValidationHandler.class and
  14. cleartrust.adaptive_auth.error.handler.DataValidationHandler.handled.error.
  15. codes.
    #
  16. Example :
  17. cleartrust.adaptive_auth.error.handlers.list=default,DataValidationHandler
    #
    cleartrust.adaptive_auth.error.handlers.list=default,DataValidationHandler
  1. This required parameter specifies the fully qualified class name of the
  2. error handler that extends the sirrus.authserver.aa.handlers.ErrorHandler.

  3. Allowed Values:
  4. A fully qualified class name.
    #
  5. Default Value:
  6. None
    #
  7. Example:
  8. cleartrust.adaptive_auth.error.handler.default.class=sample.aa.ErrorHandler
    #
    cleartrust.adaptive_auth.error.handler.default.class=sirrus.authserver.aa.handlers.DefaultErrorHandler
    cleartrust.adaptive_auth.error.handler.DataValidationHandler.class=sirrus.authserver.aa.handlers.DataValidationErrorHandler
  1. This required parameter specifies the list of RSA Adaptive Authentication
  2. Web Services reason codes recognized by the handler.

  3. Allowed Values:
  4. All reason code specified in the RSA Adaptive Authentication Web Services
  5. API Reference Guide.
    #
  6. Default Value:
  7. None
    #
    cleartrust.adaptive_auth.error.handler.default.handled.error.codes=1003
    cleartrust.adaptive_auth.error.handler.DataValidationHandler.handled.error.codes=1605,1453
 
Legacy Article IDa51667

Attachments

    Outcomes