000035185 - RSA Authentication Manager 8.1 SP1 authentications failing after changing the directory password for the Directory User ID in the Identity Source Configuration

Document created by RSA Customer Support Employee on May 26, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035185
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP 1 or later
Issue
  • An administrator has configured an identity source for mapping user and group information from Microsoft Active Directory to an Authentication Manager deployment.
  • The customer has a password policy that requires all Windows passwords must change on a regular basis (e. g., every 90 days) which has an impact on the Directory User ID in the identity source configuration.
  • Following the password policy, the directory password for the Directory User ID was changed and the connectivity to the identity source was confirmed being successful using the Test Connection button and/or Validate Connection Information button.
  • After the directory password is changed, the end user authentications were found to be failing and users are no longer searchable in the Security Console for the identity source in question.
  • The System Activity Monitor (Security Console > Reporting > Real-time Activity Monitors > System Activity Monitor)  reports failures for the connecting to the identity source.
CauseThe Authentication Manager deployment is caching the old credentials and using them to query the identity source; and this in turn eventually locks the Directory User ID used to query the identity source.
ResolutionWhere the Directory Password for the Directory User ID must be changed then use the following procedure:

Where there is a single replica instance in the Authentication Manager deployment


  1. From the Operations Console, flush cached data on the replica instance (Maintenance > Flush Cache).  You will be prompted to enter the super admin credentials.
  2. Select Flush all cache objects.
  3. Click Flush.
  4. Connect to the replica instance via the local console or via an SSH session using the rsaadmin account.
  5. Stop the Authentication Manager services on the replica instance using the command:
    /opt/rsa/am/server/rsaserv stop all

  6. Launch the Operations Console and navigate to Deployment Configuration > Identity Sources > Manage Existing.
  7. Click on the identity source in question and choose Edit.
  8. On the Configuration tab, update the Directory Password for the primary and all replica instances listed.
  9. Use the Test Connection and Validate Connection Information buttons to confirm a successful connection to the identity source from the primary and all replica instances listed.
  10. Use the Save and Finish button to save the directory password for primary and all replica instances listed.
  11. From the primary's Operations Console, flush cached data on the primary by selecting Maintenance > Flush Cache.  You will be prompted to enter the super admin credentials.
  12. Select Flush all cache objects.
  13. Click Flush.
  14. Connect to the primary instance via the local console or via an SSH session using the rsaadmin account.
  15. Restart the  Authentication Manager services on the primary instance using the command:
/opt/rsa/am/server/rsaserv restart all

  1. Connect to the replica instance via the local console or via an SSH session using the rsaadmin account.
  2. Restart the  Authentication Manager services on the replica instance using the command:
/opt/rsa/am/server/rsaserv start all


Where there are multiple replica instances in the Authentication Manager deployment 


  1. From the replica's Operations Console, flush cached data by selecting Maintenance > Flush Cache.  You will be prompted to enter the super admin credentials.
  2. Select Flush all cache objects.
  3. Click Flush.
  4. Reboot the appliance from the Operations Console by selecting Maintenance > Reboot Appliance.
  5. Check Yes, reboot the appliance.
  6. Click Reboot.
  7. From the Security Console, verify that users are searchable on the primary and replica instances (Identity > Users > Manage Existing.
  8. Change the Identity Source name in the Search Criteria and click Search button. It is expected that a list of users are returned.  Use the System Activity Monitor in the Security Console (Reporting > Real-time Activity Monitors > System Activity Monitor) to check system activity to the identity source.
  9. Perform test authentication using the user IDs mapped from the identity source to confirm the Authentication Manager can process those authentications.

Attachments

    Outcomes