|Applies To||RSA Product Set: RSA Identity Governance and Lifecycle|
RSA Version/Condition: 6.9.1 P16, 6.9.1 P17, 7.0.0 P04, 7.0.1
|Issue||Authentication fails with the following error, although the username and password used are correct. This issue occurs after upgrading to 6.9.1 P16, 6.9.1 P17, 7.0.0 P04 or 7.0.1:|
Invalid Login credentials
This issue occurs if the authentication sources uses Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName.
The error in the aveksaServer.log always says that the account is orphaned even though the account is not orphaned and there are no duplicate accounts in the system.
09/23/2016 15:19:52.585 WARN (default task-29) [com.aveksa.gui.core.ACMLoginLogout] No User mapped to this account. Its an Orphaned Account
|Cause||The issue is due to a mismatch for the user to be authenticated and the collected accounts through the associated ADC.The distinguishedName collected for the ADC will not map with the authentication source's user account and will always fail. The Test Authentication does a simple bind with the AD server and searches for the user with the UserSearchAttribute. The user account mapping does not play a role here, hence it passes.|
|Resolution||This is a bug fixed in 6.9.1 P19 and 7.0.1 P02. Deploy the patches to resolve the issue.|
|Workaround||As a workaround, having the associated collector attribute AccountId configured with sAMAccountName and not configuring the authentication source parameter AuthAccountAttribute, will result in a successful authentication. This will cause the authentication source to accept the default value for AuthAccountAttribute as it is not mandatory, which is the NameInNamespace (DN) and will evaluate the user to be authenticated against the collected accounts successfully.|