000021491 - RSA ClearTrust users occasionally unable to authenticate using valid username and password

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000021491
Applies ToRSA ClearTrust 5.5.2 Authorization Server (AServer)
Microsoft Windows 2000 Professional SP4
Microsoft Active Directory
IssueRSA ClearTrust users occasionally unable to authenticate using valid username and password
The auth server log file indicates the following error message even though the username and password were entered correctly:

"result_code=1,result_action=Authentication Failure,result_reason=Unknown User
CauseThis failure can happen due to a problem with the way the bind authentication pool that is used to authenticate users to the AD datastore is maintained. Users who enter a wrong userid will have their connection returned to the pool without clearing the "bad" bind. A subsequent bind by a legitimate user on one of these connections would result in the user being prompted again for authentication. Normally, only very few users would ever encounter this situation, but it is possible under unusual conditions for a larger number of users to be affected.
Resolution
This issue is resolved in hot fix 5.5.2.42 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.

NOTE: The "Unknown User" message does occur normally in the AServer log file. Only a disproportionately large number of these login failures over a short period of time indicates a potential problem.

WorkaroundClearTrust is configured to user "Bind Authentication" with cleartrust.data.ldap.password.validate_with_connect = True
Legacy Article IDa23160

Attachments

    Outcomes