|Applies To||RSA ClearTrust 5.5.2 Authorization Server (AServer)|
Microsoft Windows 2000 Professional SP4
Microsoft Active Directory
|Issue||RSA ClearTrust users occasionally unable to authenticate using valid username and password|
The auth server log file indicates the following error message even though the username and password were entered correctly:
"result_code=1,result_action=Authentication Failure,result_reason=Unknown User
|Cause||This failure can happen due to a problem with the way the bind authentication pool that is used to authenticate users to the AD datastore is maintained. Users who enter a wrong userid will have their connection returned to the pool without clearing the "bad" bind. A subsequent bind by a legitimate user on one of these connections would result in the user being prompted again for authentication. Normally, only very few users would ever encounter this situation, but it is possible under unusual conditions for a larger number of users to be affected.|
This issue is resolved in hot fix 220.127.116.11 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.
NOTE: The "Unknown User" message does occur normally in the AServer log file. Only a disproportionately large number of these login failures over a short period of time indicates a potential problem.
For more information, see solution badPwdCount incremented multiple times in Active Directory for a single failed attempt at logon to RSA ClearTrust.
|Workaround||ClearTrust is configured to user "Bind Authentication" with cleartrust.data.ldap.password.validate_with_connect = True|
|Legacy Article ID||a23160|