000016348 - 'Unknown User' error occurs for users that are known to exist in the database. - AxM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016348
Applies ToRSA Access Manager 6.2
Microsoft Windows Active Directory
Issue"Unknown User" error occurs for users that are known to exist in the database.
The following error message occurs in the aserver.log (lserver.log) for users that are known to exist in the database.  This occurs when bind authentication is being used (cleartrust.data.ldap.password.validate_with_connect     :true).

sequence_number=63490,2014-09-15 13:20:18:540 CDT,messageID=1021,user=user1,client_ip_address=192.168.2.198,client_port=45215,result_code=1,result_action=Authentication Failure,result_reason=Unknown User


This error can occur if the result of the bind authentication is not an authentication success, but the failure is not one of the know authentication failure reasons.   RSA Access Manger defaults to setting "Unknown_user" and if no other failure condition is detected this is what is logged.  The know authentication failure methods are:
525 user not found                                               UNKNOWN_USER
52e invalid credentials                                          CT_AUTH_BAD_PASSWORD
530 not permitted to logon at this time                  CT_AUTH_BAD_PASSWORD
531 not permitted to logon at this workstation        CT_AUTH_BAD_PASSWORD
532 password expired                                          EXPIRED_PASSWORD
533 account disabled                                            INACTIVE_ACCOUNT
701 account expired                                             EXPIRED_ACCOUNT
773 user must reset password                               FORCED PASSWORD_EXPIRED
775 user account locked                                       ADMIN_LOCKOUT
ResolutionThis typically occurs when there is some performance issue with Active Directory but the LDAP service is still responding to new connections so this does not cause an LDAP failover.   
Put the aserver in debug mode and look for the following AD response codes (these are just examples, there could be other failures).  Correct the underlying database issue. 

LDAP_TIMEOUT

LDAP_TIMELIMIT_EXCEEDED

LDAP_REFERRAL   

LDAP_BUSY

 

See http://support.microsoft.com/kb/218185 for a full list of possible errors. 

Legacy Article IDa68130

Attachments

    Outcomes