000034719 - Users cannot authenticiate to the RSA SecurID Access Portal or protected applications using Microsoft Integrated Windows Authentication (IWA)

Document created by RSA Customer Support Employee on Jan 23, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034719
Applies ToRSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router
IssueEnd users are unable to login to the RSA SecurID Access SSO Portal or perform SSO login to applications with IWA.
CauseIWA is not accessible or is not responding. This can be investigated by checking the events in the RSA Identity Router (IDR)'s symplified.log file.
An administrator can view an IDR's /var/log/symplified/symplified.log which can be obtained as described in the article on how to Generate and Download an Identity Router Log Bundle.  Be sure to obtain the log bundle and check the symplified.log from all IDRs that are in use in the affected deployment.

Using a text editor, search the symplified.log looking for events logged by the component com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler.

A normal sequence for an IWA authentication, logged by this IDR component to symplified.log, should include the following events in the order shown:

INFO  com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[194] - Posting SAMLRequest to IdP endpoint: https://<IWA URL>
INFO  com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[195] - SAMLRequest contents: <saml2p:AuthnRequest XML message>
WARN  com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[211] - Saml 2 Generic IdP Handler handling inbound response.
INFO  com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[263] - Inbound SAMLResponse is valid. Accepting assertion for user: <user id>

Note that there will be events from other IDR components interleaved between the above events in the symplified.log.
Examine your IDRs' symplified.log files and check for any variations to the entries above and handle accordingly.  For example:

  • If event message [195] is logged but [211] and [263] are not logged, it means the IDR has not received a response from the IWA server. 
ResolutionSteps that can be taken to investigate further:
  • Examine the Windows Event Log on the IWA Server for any explanatory events.
  • Check all of the IWA configuration on the Access Console is correct, including URLs, digital certificates, etc.  See the article on how to Add Integrated Windows Authentication as an Identity Provider on RSA Link for more information.
  • Check network configuration and status, including firewalls, DNS, etc.
  • Contact your IWA system administrator for help troubleshooting the root cause
WorkaroundUntil the IWA issue is fixed, end users can enter their user ID and password into the Portal sign on screen, rather than authenticating with IWA.