000034392 - RSA SecurID Access Automatic Integrated Windows Authentication (IWA) not working

Document created by RSA Customer Support Employee on Nov 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034392
Applies ToRSA Product Set:  SecurID Access
IssueAutomatic IWA has been configured per Enable Automatic Integrated Windows Authentication but users are still presented with the portal login page where they need to either enter their credentials or click on the IWA icon.
The /var/log/symplified/symplified.log contains messages like:
2016-11-14/16:22:29.839/UTC [ajp-apr-8009-exec-4] ERROR com.symplified.service.appliance.sp.SPService[461] -  IP restrictions likely misconfigured for idp RSA SecurID Access IWA Connector
2016-11-14/16:22:29.840/UTC [ajp-apr-8009-exec-4] INFO com.symplified.service.appliance.sp.SPService[100] -  Pre-authentication policy evaluated to false,
not initiating authentication with idp RSA SecurID Access IWA Connector

CauseConfiguring the IWA Identity Provider with Authentication Source Rules/IP Range using Classless Inter-Domain Routing (CIDR) notation, as below, will cause this issue.
IWA IP Range using CIDR notation
ResolutionUse IP:NETMASK rather than CIDR notation to define the IP address range value.  For example, rather than, use
As always, be sure to re-publish after making this change.