000034726 - RSA Identity Governance and Lifecycle authentication fails if the authentication sources uses Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName

Document created by RSA Customer Support Employee on Feb 24, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034726
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 6.9.1 P16, 6.9.1 P17, 7.0.0 P04, 7.0.1
 
IssueAuthentication fails with the following error, although the username and password used are correct. This issue occurs after upgrading to 6.9.1 P16, 6.9.1 P17, 7.0.0 P04 or 7.0.1:
 
Invalid Login credentials

This issue occurs if the authentication sources uses Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName.
 
User-added image

User-added image

 
User-added image

 
 User-added image

The error in the aveksaServer.log always says that the account is orphaned even though the account is not orphaned and there are no duplicate accounts in the system.
09/23/2016 15:19:52.585 WARN  (default task-29) [com.aveksa.gui.core.ACMLoginLogout] No User mapped to this account. Its an Orphaned Account


 
CauseThe issue is due to a mismatch for the user to be authenticated and the collected accounts through the associated ADC.The distinguishedName collected for the ADC will not map with the authentication source's user account and will always fail. The Test Authentication does a simple bind with the AD server and searches for the user with the UserSearchAttribute.  The user account mapping does not play a role here, hence it passes.
ResolutionThis is a bug fixed in 6.9.1 P19 and 7.0.1 P02. Deploy the patches to resolve the issue.
WorkaroundAs a workaround, having the associated collector attribute AccountId configured with sAMAccountName and not configuring the authentication source parameter AuthAccountAttribute, will result in a successful authentication.  This will cause the authentication source to accept the default value for AuthAccountAttribute as it is not mandatory, which is the NameInNamespace (DN) and will evaluate the user to be authenticated against the collected accounts successfully.

Attachments

    Outcomes