000025302 - Not authorized (RC_NOT_AUTHORIZED): Login incorrect

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000025302
Applies ToMicrosoft Windows Windows Server SP1
ClearTrust Authorization Server 6.0
IssueRC_NOT_AUTHORIZED
Not authorized (RC_NOT_AUTHORIZED): Login incorrect
Your logon information was invalid.
ad-adam

This error is seen in the server log when running in debug mode.

 

11:17:20:140 [*] [APIClientProxy-3] - Thread requesting stream.
Not authorized (RC_NOT_AUTHORIZED): Login incorrect
        at sirrus.api.command.server.APISetClientsUserCmd.getUserAndCheckPW(APISetClientsUserCmd.java:107)
        at sirrus.api.command.server.GetAdminRoleIdsForUserCmd.execute(GetAdminRoleIdsForUserCmd.java:64)
        at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
        at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
        at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
        at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:1146)
        at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:872)

 

Note: If you do not have debug mode enabled then no error will be displayed in the eserver log.

Cause

This error can occur as the administrator attempts to log into the Entitlements GUI.  Although the username and password are correct and all the configuration parameters look like they are correct the error still occurs.

As part of the Access Manager administrative logon the distinguished name (DN) in Active Directory is compared against a DN value stored in ADAM in the list of valid administrators.  If there were any spaces after the commas in the DN value in ADAM then the comparison will fail and the system will not believe that the user is an administrator.

Resolution

During installation you are required to edit install-activedirectory.ldif and set a ctscUserDN value  (page 36 steps 4 and 5).  The instructions specifically state that the modification is space-sensitive and to make sure to separate each item using commas with no spaces.  Failure to comply causes the above error.

 

It is easy to correct this fault simply by adjusting the current value stored in ADAM following these steps:


1.             On the ADAM server run Start | Programs | ADAM | ADAM ADSI Edit 

 

2.             Connect to your ADAM instance as your ADAM administrator and expand out to locate the CN=Default Administrator node, for example:

          ADAM ADSI Edit

          -      CT [localhost:5000]

-      dc=rsasecurity,dc=com

 -       OU=ctscAdminRepository

         -      CN=Default Administrative User

 

3.             Right-click this node and select Properties

 

4.             Scroll through the listed attributes until you highlight ctscUserDN

 

5.             Click Edit and remove and spaces which appear after the commas seperating out the relative sections of the DN.  For example alter

                   cn=Administrator, cn=Users, dc=rsasecurity, dc=com

so that it reads

                    cn=Administrator,cn=Users,dc=rsasecurity,dc=com

 

6.             Now click OK twice to save the changes (and you can now exit the ADM ADSI Edit tool)

The change is dynamic and no stop and restart of any process is required (however you may wish to stop the eserver process and start it without debugging enabled)

 

 

NOTE:

On an existing system there can be a number of factors which can cause the same error, for other solutions see:

 

               Error: "Server error (500) - exception javax.servlet.ServletException: Not authorized (RC_NOT_AUTHORIZED): Login incorrect" appears in RSA ClearTrust Admin GUI when administrator changes their own user password via Admin GUIa25609  Error: "Server error (500) - exception javax.servlet.ServletException: Not authorized (RC_NOT_AUTHORIZED): Login incorrect" appears in RSA ClearTrust Admin GUI when administrator changes their own user password via Admin GUIServer error (500) - exception javax.servlet.ServletException: Not authorized (RC_NOT_AUTHORIZED): Login incorrect

               Error: 'Login incorrect' when RSA ClearTrust administrator tries to log in to RSA ClearTrust Entitlements Manager (Admin GUI)a30672  Error: 'Login incorrect' when RSA ClearTrust administrator tries to log in to RSA ClearTrust Entitlements Manager (Admin GUI)"Login incorrect" when RSA ClearTrust administrator tries to log in to RSA ClearTrust Entitlements Manager (Admin GUI)

               RSA ClearTrust 5.5 Entitlements Server (EServer) does not start when using ADAM as directory storea29563 RSA ClearTrust 5.5 Entitlements Server (EServer) does not start when using ADAM as directory storeRSA ClearTrust 5.5 Entitlements Server (EServer) does not start when using ADAM as directory store 

 

 

 

To enable debug mode on the eserver you will start it running on the command line by running the command the ?eserver debug?.  See the solution Debugging ClearTrust serversa33164 Debugging ClearTrust serversDebugging ClearTrust servers for full details on debug mode.

 

Full details of the installation stems for the AD-ADAM configuration see chapter 3.  Installing the LDAP Data Adapter in the Installation and Configuration Guide supplied with the software.  An online copy is also available in RSA SecurCare Online.

https://knowledge.rsasecurity.com/docs/rsa_cleartrust/553/install_config.pdf

 

            RSA Access Manager 6.0 Servers Installation and Configuration Guide

            https://knowledge.rsasecurity.com/docs/rsa_cleartrust/access_manager/install_config.pdfhttps://knowledge.rsasecurity.com/docs/rsa_cleartrust/553/install_config.pdf

 

WorkaroundThe system has just been installed as and configured as an AD-ADAM configuration where users are all stored in Active Directory and all the policy data is stored in ADAM
Legacy Article IDa35443

Attachments

    Outcomes