000017178 - Authentication error after provisionng account - AxM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017178
Applies ToRSA Access Manager (AxM) 6.2
RSA Federated Identity Manager  (FIM) 4.2
IssueAuthentication error after provisioning account.
Error in aserver.log:
           sequence_number=387107,2014-01-09 09:49:08:96 EST,messageID=1006,user=user1,result_code=0,result_action=Authentication Failure,result_reason=Inactive Account

Error in agent.log file:

          2014-09-10 14:48:31 -0400 - [3086666336] - <Security> - User user1 has expired or inactive account.


CauseThis error occurs when customer design their own provisioning code and do not allow for potential clock drift between the aserver, and the adminAPI call that create the account.  If the time on the aserver is slightly ahead of the adminAPI then the account may not yet be valid when the authentication occurs. 
ResolutionWhen creating an account add a skew of several minutes to the "Account Start Date"so that it occurs in the past.  This ensures that the account is valid even if the times on the servers are not exactly the same. 
NotesNote:  This affects plugins made for RSA Federated Identity Manger (FIM) as well. 
Legacy Article IDa67830