Troubleshooting Common Error Messages

Document created by RSA Information Design and Development Employee on Jun 13, 2017Last modified by RSA Information Design and Development Employee on Jan 19, 2021
Version 17Show Document
  • View in full screen mode

These troubleshooting topics list messages that occur for common problems, along with their possible causes and corresponding resolutions. These messages are for administrative, system, and authentication events. Each error message includes:

Action ID. A unique number

Action Key. A unique title

Message. Text that describes the issue.

Description. Additional information about the message.

13003 - AUTHN_LOCKOUT_EVENT

Message: Users “{0}” from security domain “{1}” in identity source “{2}” is locked out

Description: Principal lockout

Problem:Authentication Manager has locked a user out of the system.

Resolution: Do the following:

  1. In the Security Console, use the Quick Search field to find the user.

  2. In the User Dashboard, view the user’s lockout status.

  3. Unlock the user’s account.

For more information, see Locked User Accounts.

16044 - ACCESS_DATABASE

Message: Database access attempted by system

Description: Database access

Problem: An unexpected error occurred when a database access was attempted using utilities that are different from those used by the Operations Console or Security Console.

Resolution: Verify if the database is operating correctly and if sufficient storage space is available.

16075 - INITIALIZE_PERMISSIONS

Message: System attempted to load permission types from the database

Description: Initialize permissions

Problem: An unexpected error has occurred when loading administrative role permissions from the database.

Resolution: Verify if the database is operating correctly and if sufficient storage space is available.

16089 - DENIAL_OF_SERVICE

Message: Denial-of-service attack detected. Server received “{4}” failed authentications from user “{3}”

Description: Denial-of-service attack detected

Problem:Authentication Manager has detected a series of unsuccessful authentication attempts from a remote administrative SDK application, suggesting that an unauthorized individual is attempting to authenticate. The SDK application might not have the correct WebLogic command client username and password, which would cause authentication attempts to fail.

Resolution: Verify that any remote administrative SDK applications have the correct WebLogic command client username and password.

16112 - REMOVE_ORPHANED_PRINCIPALS

Message: Administrator “{0}” attempted to clean up unresolvable users

Description: Clean up unresolvable users

Problem: Authentication Manager cannot connect to the LDAP directory server.

Resolution: Confirm that the LDAP directory server(s) identified in the identity source connection information are running and can be connected from the server.

16262 - BATCH_CLEANUP_ORPHANED_PRINCIPALS_LIMIT_HIT

Message: Cleanup of unresolvable users was not possible. Found {3} users ; which exceeded the automated cleanup limit of {4} users.

Description: Clean up unresolvable users and groups

Problem: The Cleanup Limit canceled an automated cleanup job because more than the specified number of unresolvable users were found in the database.

Resolution: Verify if any recent changes have been applied to the identity source, such as using a filter. Such a change may result in a large difference in the number of users located in the identity source. See How a User Becomes Unresolvable for more information on how changes made to user data in an LDAP directory can affect user authentication and administration.

16264 - MARK_FIND_PRINCIPAL_ACROSS_IDENTITYSOURCE_FAILURE

Message: User cannot be found across identity sources. User “{3}” will not be allowed to authenticate for the next 60 minutes..

Description: System cannot process this authentication request

Problem: The user who attempted to authenticate cannot be found in any identity source.

Resolution: Verify if you have made any recent change to the identity source, such as using a filter. Such a change may result in a large difference in the number of users located in the identity source.

16265 - DETERMINE_RELATED_IDENTITY_SOURCE

Message: System cannot determine whether identity source “{3}” and identity source “{4}” are connecting to the same directory server.

Description: Attempting to determine whether the given identity sources connect to the same directory server.

Problem: A connectivity problem exists between the identity source and the LDAP directory server. This problem can occur for any of the following reasons:

  • Incorrectly configured firewall

  • Invalid or expired LDAP credentials

  • Certificate expiration

  • Incorrectly configured or altered LDAP filters

  • Network issues

Resolution: Verify the LDAP connection. For LDAP-related information, see Add an Identity Source and Identity Source SSL Certificates. To troubleshoot network issues, see Verify an IP Address or Hostname.

16294 - IDENTITY_SOURCE_GET_CONNECTION_FAILED

Message: Cannot process requests that need access to identity source “{3}”. The identity source is currently unreachable.

Description: Failed to connect to identity source.

Problem: Authentication Manager cannot connect to the identity source. This problem can occur for any of the following reasons:

  • Incorrectly configured firewall

  • Invalid or expired LDAP credentials

  • Certificate expiration

  • Incorrectly configured or altered LDAP filters

  • Network issues

Resolution: Verify the LDAP connection. For LDAP-related information, see Add an Identity Source and Identity Source SSL Certificates. To troubleshoot network issues, see Verify an IP Address or Hostname.

16296 - TRACK_USER_MOVE_IN_REPLICA_FAILED

Message: The user’s distinguished name has changed. Either the primary could not update the user or the primary cannot be contacted. Authentication requests from “{3}” to this instance will not be successful until primary updates the user.

Description: System cannot process this authentication request

Problem: A connectivity problem exists between the primary and replica instances.

Resolution: Do the following:

  1. Check the replication status between the primary and replica instance. For information, see Check Replication Status.

  2. Verify if you can reach the primary or replica instance by running network tools and confirming if the replication port 7002/TCP is open. To run network tools, see Verify an IP Address or Hostname.

  3. Determine if disaster recovery procedures are appropriate. For information, see Disaster Recovery Situations.

16297 - BUILD_RELATED_IDENTITY_SOURCE_CACHE_FAILED

Message: System cannot initialize related identity sources for identity source “{3}”

Description: System cannot initialize related identity source cache.

Problem: Authentication Manager cannot connect to the identity source. This error can occur under the following circumstances:

  • The firewall is configured incorrectly.

  • LDAP credentials are invalid or expired.

  • A certificate has expired.

  • LDAP filters are configured incorrectly or altered.

  • Network issues exist.

Resolution: Verify the LDAP connection. For LDAP-related information, see Add an Identity Source and Identity Source SSL Certificates. To troubleshoot network issues, see Verify an IP Address or Hostname.

16329 - READ_ACTIVE_USERS

Message: System failed to read the licensed number of active users from the system configuration

Description: Unable to read active users from the system configuration

Problem: Authentication Manager licensing is incorrect.

Resolution: Confirm thatAuthentication Manager has a valid license file. See Check License Status.

20056 - INSUFFICIENT_PRIVILEGE

Message: Administrator “{0}” attempted an action having insufficient privileges.

Description: Insufficient Privilege

Problem: The administrator has insufficient privileges to perform the attempted action.

Resolution: Do the following:

  1. Verify that the administrator is assigned the correct security domain scope and permissions. For instructions, see View All Administrative Roles Assigned to an Administrator.

  2. If the administrator needs more permissions, either edit the administrative role and add the appropriate permissions or assign a different role. For more information, see Administrative Role Overview.

20063 - AUTHMGR_AGENT_CLEAR_NODESECRET

Message: Administrator “{0}” attempted to clear node secret for agent “{4}” managed in security domain “{5}”

Description: Clear Agent Node Secret

Problem: The node secret has been cleared. No troubleshooting is required.

20214 - AM_CONFIGURATION_UPDATE_FAILED

Message: Administrator “{0}” failed to update AM configuration

Description: Failed to update RSA Authentication Managerconfiguration

Problem: An attempt to modify Authentication Manager configuration data has failed. Either the administrator performing the update does not have permission or the configuration value has been removed or deprecated. This error can also occur when an application using UpdateAMConfigurationCommand to update configuration data lacks sufficient permission.

Resolution: Verify that the administrator has permission to modify the configuration data:

  1. In the Security Console, go to the Home page.

  2. Use Quick Search to find and select the administrator.

  3. From the context menu next to the administrator’s username, select Administrative Roles.

  4. Verify that the assigned administrative roles provide sufficient privileges to modify the configuration data.

  5. (Optional) To assign additional administrative roles to this administrator, do the following:

    1. Click Assign Role.

    2. Select the role you want to assign to the administrator.

    3. Click Assign Role.

20239 - EXPORT_DATA_TO_FILE

Message: Administrator “{0}” attempted to export data to the file “{11}”.

Description: Export Data to file

Problem: The administrator attempted to export user and token data to a file. No troubleshooting is required.

20240 - GENERATE_EXPORT_SECURITY_PACKAGE

Message: Administrator “{0}” attempted to generate and download export security package.

Description: Generate Export Security Package

Problem: The administrator attempted to generate and download the export security package. No troubleshooting is required.

23002 - AUTH_UNSUPPORTED_PROTOCOL

Message: Received unsupported request from agent “{3}” with IP address “{4}” in security domain “{5}”. Request type: “{18}”

Description: Received unsupported request.

Problem: The device is unsupported because there is no server interface to handle this type of network packet.

Resolution: Do the following:

  1. Verify that the agent host uses a legacy authentication method from agents older than version 5.x. Authentication Manager only accepts agents from releases 5.x and higher.

  2. Contact the manufacturer of the user’s authentication device to find out if the device is eligible to upgrade to a 5.x or higher API.

  3. If the device is enabled for RADIUS, verify that the current version is compatible with the new RADIUS Access-Challenge, including New PIN Mode and Next Tokencode Mode.

23005 - AUTH_NODE_VERIFICATION

Message: Verifying node secret for the agent “{3}” with IP address “{4}” in security domain “{5}”

Description: Node secret verification

Problem: There is a problem with the node secret.

Resolution: Clear the node secret in both the Authentication Manager server and agent. See Manage the Node Secret.

23008 - AUTH_PRINCIPAL_RESOLUTION

Message: Attempting to resolve user by userid or alias “{0}”. Request originated from agent “{3}” with IP address “{4}” in security domain “{5}”

Description: Resolve principal by userid/alias

Problem:Authentication Manager cannot identify the user through the User ID or alias. It is possible that multiple users have the same alias. When an administrator associates an agent and a group, all of the user’s aliases associated with the group are now searched.

This error can occur under the following circumstances:

  • An agent is associated with many groups and two people in different groups have the same alias.

  • An administrator recently associated an agent with a group.

Resolution: Do the following:

  1. In the Security Console, go to the Home page.

  2. Use Quick Search to find the user.

  3. Click Authentication Settings and view the user alias.

  4. Change the user’s alias to be unique.

23017 - OA_DATA_DOWNLOAD_FAILED

Message: Offline authentication data download requested by user “{0}” from agent “{3}” using token “{8}” failed with error message “{9}”

Description: Offline Authentication Data Download Failed

Problem: A user’s attempt to download offline authentication data failed. This message can occur when the offline authentication policy settings for the user do not match the settings for the agent. This can also occur if port 5580/tcp is inaccessible.

Resolution: Do the following:

  1. Verify if port 5580/tcp is accessible. For instructions, see the Help topic "Verify an IP Address or Hostname."

  2. Identify the security domains to which the user and agent belong.

  3. If the security domains are different, verify that the offline authentication policies applied to each security domain do not conflict.

  4. Modify the offline authentication policies to resolve any conflicts. For more information, see RSA Authentication Manager Policies.

23021 - AUTHMGR_NEXT_TOKENCODE_ACTIVATED

Message: Next tokencode mode activated for token serial number “{16}” assigned to user “{0}” in security domains “{1}” from “{2}” identity source.

Description: Next tokencode mode activated for token

Problem: A user has failed to authenticate with a specific token more times than the token policy allows. In next tokencode mode, the user has one chance to enter the tokencode correctly before authentication fails.

Resolution: This message occurs when a token has failed to authenticate a specific number of times. You can configure the number of authentication failures allowed before next tokencode mode is activated in the Security Console. For more information, see RSA Authentication Manager Policies.

If this error occurs multiple times, check the accuracy of the Authentication Manager system clock. Clock drift may have occurred between the Authentication Manager Server and the token clock. For more information, see Update System Date and Time Settings.

Incorrectly or unnecessarily changing the system time may cause a total authentication outage. If you are not confident of the cause of the problem, contact RSA Customer Support. Do not attempt to correct clock drift if it is more than plus or minus one minute.

23026 - AUTOREG_VERIFY_NODESECRET

Message: Verifying node secret for the agent “{3}” with IP address “{4}” in Security Domain “{5}”

Description: Agent node secret verification

Problem: This message indicates that there is a problem with the node secret.

Resolution: Clear the node secret in both the Authentication Manager server and agent. See Manage the Node Secret

23036 - AUTOREG_VERIFY_NODESECRET

Message: Verifying node secret for the agent “{3}” with IP address “{4}” in Security Domain “{5}”

Description: Agent node secret verification

Problem: There is a problem with the node secret.

Resolution: Clear the node secret in both the Authentication Manager server and agent. See Manage the Node Secret.

23038 - AUTOREG_DHCP_ERROR

Message: While registering an agent “{3}” ; found another agent “{8}” with the same alias IP address “{4}”. Could not un-assign IP from “{8}”

Description: While registering an agent found another agent with the same alias IP address.

Problem: During agent registration, another agent was found to have the same alias IP address.

Resolution: This message is related to auto-registration and DHCP:

  1. Enable auto-registration. For more information, see Automatic Agent Registration.

  2. Download the server certificate. For instructions, see Download an RSA Authentication Manager Server Certificate.

  3. When setting Agent Auto-Registration settings, change the default Agent IP Update option to not automatically update the IP addresses of authentication agents. For more information, see Configure Agent Settings.

  4. Check your firewall rules and ensure that the following ports are open to enable communication between the agent and Authentication Manager instance.

                               

    Port

    Function

    5500/UDP

    Used for communication between Authentication Manager and authentication agents.

    5580/TCP

    Authentication agents connect to this port to perform offline data downloads.

    5550/TCP

    Used by the authentication agent auto-registration utility. This port must be open.

    139/TCP

    Used by authentication agents to verify whether the user is a member of a challenge group in Microsoft Active Directory.

  5. Clear the node secret files on the agent. For instructions, see the authentication agent documentation.

  6. Re-install the authentication agent. Choose custom installation, and select auto-registration during the install process. See your agent documentation for instructions.

23039 - AUTOREG_CLEAR_NODESECRET

Message: Cleared node secret for the agent “{3}” in Security Domain “{5}”

Description: Agent node secret has been cleared

Problem: The administrator has manually cleared, generated, and reloaded the node secret. No troubleshooting is required.

23071 - AUTH_FAILED_BAD_TOKENCODE_GOOD_PIN

Message: Bad tokencode ; but good PIN detected for token serial number “{16}” assigned to user “{0}” in security domain “{1}” from “{2}” identity source

Description: Authentication attempted.

Problem: The user could not successfully authenticate. It is possible that the user has forgotten the PIN, or is using the wrong token.

Resolution: Do the following:

  1. Verify that the user is using the correct token as assigned. Ask the user for the serial number on the back of the token, and verify it against the token serial number that you see in the Security Console. If the token serial numbers do not match, ask the user to use the assigned token only.

  2. Resynchronize the token assigned to the user. See Resynchronize a Token.

  3. Open the Activity Monitor. Ask the user to authenticate using the PIN after resynchronization, and monitor the log entry in real time. See View Messages in the Activity Monitor .

23072 - AUTH_FAILED_BAD_PIN_GOOD_TOKENCODE

Message: Bad PIN ; but good tokencode detected for token serial number “{16}” assigned to user “{0}” in security domain “{1}” from “{2}” identity source

Description: Authentication attempted

Problem: The user who is assigned the token may no longer possess it because the passcodes are being guessed.

Resolution: Confirm if the user possesses the assigned token:

  1. In the Security Console, go to the Home page.

  2. Use Quick Search to find the user.

  3. Select the user to whose token you need to verify.

  4. Under Assigned SecurID Tokens, view the token serial number.

  5. Ask the user for the serial number on the back of the token, and verify if it matches the serial number on the Security Console.

23073 - AUTH_FAILED_BAD_PIN_PREVIOUS_TOKENCODE

Message: Bad PIN ; but previous tokencode detected for token serial number “{16}” assigned to user “{0}” in security domain “{1}” from “{2}” identity source

Description:Authentication attempted

Problem: This error occurred due to any of the following circumstances:

  • The user forgot his or her PIN or is using a PIN that is correct for a different token.

  • Replication has failed, and the user’s PIN is not updated in the replica instance.

  • An unauthorized person possesses the token and is guessing PINs.

Resolution: Do the following:

  1. Check the replication status. See Check Replication Status.

  2. If the replication status does not display an error, confirm that the serial number on the back of the token matches the token assigned to the user in the User Dashboard. If the serial numbers match, clear the PIN.

    1. In the Security Console, go to the Home page.

    2. Use Quick Search to find the user.

    3. Select the user to whose token you need to verify.

    4. Under Assigned SecurID Tokens, view the token serial number.

    5. If the serial number matches, you need to clear the PIN.

    6. Under Assigned SecurID Tokens, select the token with the PIN that needs to be cleared.

    7. Click Clear PIN.

  3. Require the user to change the PIN. For instructions, see Require Users to Change Their RSA SecurID PINs.

  4. Open the Authentication Activity Monitor and instruct the user to authenticate. You can see whether the user has authenticated.

23080 - AUTH_AGENT_DOESNT_ACCEPT_SECURID

Message: Received a SecurID credential ; which the agent is configured to not accept. Agent “{3}” with IP address “{4}” in security domain “{5}”

Description: SecurID credential type not accepted

Problem: An agent attempted to submit a SecurID passcode. The agent is configured to handle users who are enrolled in risk-based authentication (RBA), but it is not configured to authenticate a SecurID passcode.

Resolution: Ensure that the agent is configured correctly:

  1. In the Security Console, click Setup > System Settings.

  2. Under Authentication Settings, click Agents.

  3. Verify that the authentication settings are correct.

  • If the agent is to be used for SecurID authentications, configure the agent to be used for a normal passcode.

  • If the agent is to be used for RBA, configure the agent to redirect to the RBA server.

23089 - TR_R_VIA_PRINCIPAL_NOT_DISCOVERED

Message:The user “{0}” could not be discovered in the RSA SecurID Access trusted realm

Description: Discover the user

Problem: The RSA SecurID Access was not found. This message can indicate that more than one RSA SecurID Access user has the same User ID in the RSA SecurID Access trusted realm. The message might indicate a network or system-level issue, with an unexpected return code, such as HTTP status code 404 “Page Not Found” or HTTP status code 500 “Internal Server Error.”

Resolution: Contact yourRSA SecurID Access administrator.

23090 - TR_R_VIA_OTP_VERIFICATION_FAIL

Message:Authenticator Tokencode verification failed for the user with login id “<user_ id>.”

Description:Verify RSA SecurID Authenticate Tokencode

Problem:Authenticator Tokencode verification failed in the RSA SecurID Access trusted realm. The message might indicate a network or system-level issue, with an unexpected return code, such as HTTP status code 404 “Page Not Found” or HTTP status code 500 “Internal Server Error.”

Resolution: If the message is not caused by a network or system-level issue, the user should try to authenticate again using an RSA SecurID Authenticate Tokencode. If the user still cannot authenticate with this method, contact yourRSA SecurID Access administrator.

23091 - TR_R_VIA_OTP_NODE_SECRET_UNAVAILABLE

Message:Verifying the node secret for the agent “{3}” with IP address “{4}” in security domain “{5}”

Description:Agent node secret verification

Problem:The node secret is not set for this agent. A new agent might not have a node secret, or the node secret might have been cleared on both the agent and the Authentication Manager instance.

Resolution: Either configure the node secret for this agent manually or complete at least one successfulAuthentication Manager user authentication. For information about creating the node secret file, see Manage the Node Secret.

26011 - PROCESS_REFERENTIAL_INTEGRITY_MESSAGES

Message: Administrator “{0}” attempted to process referential integrity message

Description: Process Referential Integrity Message

Problem: An error occurred while promoting a replica instance to a primary instance.

Resolution: Confirm that the replica promotion has completed successfully. Do not start the severs before this process is complete. For more information, see Promote a Replica Instance for Disaster Recovery and Promote a Replica Instance Using Promotion for Maintenance.

26041 - ADJUDICATOR_CLOCK_SETBACK

Message: Detected clock setback ; current:“{3}” expected:“{4}”

Description: Clock Setback Detected

Problem: If the time difference is less than plus or minus one minute, the Authentication Manager system clock may not be synchronized with the Network Time Protocol (NTP) Server. If the time difference is more than plus or minus one minute, contact RSA Customer Support.

Resolution: Do the following:

  1. Verify that the NTP server is correct and stable.

  2. Make sure the Authentication Manager server is synchronized with the NTP server. For instructions on how to specify the date and time settings, see Update System Date and Time Settings.

  3. Do not set the system clock of the Authentication Manager server back in time. This is a potential security issue as it can cause expired tokencodes to be used.

 

 

 

 

 

Previous Topic:Enable Strict TLS Mode
You are here
Table of Contents > Troubleshooting > Troubleshooting Common Error Messages

Attachments

    Outcomes