|Applies To||RSA Access Manager 6.2|
Microsoft Windows Active Directory
|Issue||"Unknown User" error occurs for users that are known to exist in the database.|
The following error message occurs in the aserver.log (lserver.log) for users that are known to exist in the database. This occurs when bind authentication is being used (cleartrust.data.ldap.password.validate_with_connect :true).
sequence_number=63490,2014-09-15 13:20:18:540 CDT,messageID=1021,user=user1,client_ip_address=192.168.2.198,client_port=45215,result_code=1,result_action=Authentication Failure,result_reason=Unknown User
This error can occur if the result of the bind authentication is not an authentication success, but the failure is not one of the know authentication failure reasons. RSA Access Manger defaults to setting "Unknown_user" and if no other failure condition is detected this is what is logged. The know authentication failure methods are:
525 user not found UNKNOWN_USER
52e invalid credentials CT_AUTH_BAD_PASSWORD
530 not permitted to logon at this time CT_AUTH_BAD_PASSWORD
531 not permitted to logon at this workstation CT_AUTH_BAD_PASSWORD
532 password expired EXPIRED_PASSWORD
533 account disabled INACTIVE_ACCOUNT
701 account expired EXPIRED_ACCOUNT
773 user must reset password FORCED PASSWORD_EXPIRED
775 user account locked ADMIN_LOCKOUT
|Resolution||This typically occurs when there is some performance issue with Active Directory but the LDAP service is still responding to new connections so this does not cause an LDAP failover. |
Put the aserver in debug mode and look for the following AD response codes (these are just examples, there could be other failures). Correct the underlying database issue.
See http://support.microsoft.com/kb/218185 for a full list of possible errors.
|Legacy Article ID||a68130|