|Applies To||RSA Product Set: SecurID Access|
A user attempts to login to the application portal with valid username/password but logon is unsuccessful.
|Cause||In this case, the bind credentials of the identity source's directory server are misconfigured; that is, an incorrect password or an invalid username.|
|Resolution||To investigate an unsuccessful logon an administrator should first view the Administration Console's IDR log for errors. Navigate to Platform > Identity Routers > IDR Click the Edit button then click on View Log.|
If the bind connection to a directory server is incorrectly configured messages similar to the ones below will be present:
2016-08-16/21:42:58.773/UTC [ajp-apr-8009-exec-5] WARN com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl - Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://192.168.20.120:389' principal is 'email@example.com'. Try one more time ...
2016-08-16/21:42:58.780/UTC [ajp-apr-8009-exec-5] ERROR com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl - Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://192.168.20.120:389' principal is 'firstname.lastname@example.org'. CAUSE: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]
These errors also show in the /var/log/symplified/symplified.log which can be obtained as described in the article on how to Generate and Download an Identity Router Log Bundle.
Ensure that the identity source's directory server bind username/password have been configured with valid credentials. The connection can be tested using the steps outlined in the article on how to Test the Connection to a Directory Server.