000029015 - Why an IP address override can fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays

Document created by RSA Customer Support Employee on Sep 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029015
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
IssueAuthentication to a specific agent is failing.  On the  agent side, "Error 13002" may display for a WIndows agent.  
In the authentication activity log, the message is> authentication method failed.

DescriptionUser “<user ID>" attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “<security domain>”
Action Result Key:Failure
Result:Authentication method failed

CauseThis is a classic SecurID problem, compounded by RSA terminology that is less than intuitive.  You have not successfully authenticated from this agent yet, which means the node secret (symmetric encryption key) used between the agent and the Authentication Manager server has not yet been created. To correct the issue,
  1. Launch the Security Console.
  2. Navigate to Access >  Authentication Agents > Manage Existing.  
Navigate to Agent Node Secret on AM server

  1. From the context menu for the agent in question, select Manage Node Secret.
Clear - Node Secret exists

Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request.  The agent encrypts the request with its primary IP address, usually its main IP, but never its NATed IP because it has no idea what that is.  However, we have seen plenty of instances where a secondary IP was used, either from a second NIC, or wireless or sometimes the management IP for VPN type devices.  The problem arises when the Authentication Manager server tries to decrypt the authentication request.  It decrypts using the primary IP address as defined in the agent host record.  See below, where is the real IP address of the agent and is the NATted IP address of the agent in all packets arriving at the Authentication Manager server.

Agent IP addresses

The less than clearly named IP address override forces the agent to encrypt with a specific IP address, not allowing the agent to choose its own primary IP for RSA encryption.
  1. Enter the real IP address, in our example it is, as the IP Address Override on the agent in the RSA Control Center, to match the real IP on the agent host entry on the Authentication  Manager server.
Control Center

  1. Or use an sdopts.rec text file placed in the same directory as the sdconf.rec file, with an entry like this:
NotesThe output of the/opt/rsa/am/server/logs/imsTrace.log with log level set to verbose:
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, 
DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>,
principalId=<UserID>,usingTransientSession=true,desiredPolicyGuid=<null>,session=[SessionImpl id=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC
creationTime=1415243481202 principal=null],identitySourceGuid=<null>,principalGuid=<null>,authenticationPolicy=<null>,directRequest=true,
userID='jdoe', firstName='John', middleName='null', lastName='Doe', email='null', beginDate=null, inactiveDate=null, lastLogin=
Wed Nov 05 18:36:02 UTC 2014, certDN='', description='null', password='*****', enabled=true, identitySource=000000000000000000001000d0011000,
securityDomain=f635a137649d658e1c695fcc81207ce9, identitySourceKey='cfbb6e4b649d658e1b9716a998c953a4', rowVersion=294, lastUpdatedBy='admin',
lastUpdatedOn=Thu Oct 30 19:24:45 UTC 2014, startDate=Fri Oct 17 16:22:00 UTC 2014, expirationDate=null, registrationFlag=true, impersonatableFlag=false, ]
impersonatorFlag=false, failPasswordCount=0, failPasswordDate=null, changePasswordFlag=true, changePasswordDate=Fri Oct 17 16:23:32 UTC 2014, lockoutFlag=false,
expireLockoutDate=null, attributes=null, authenticators=[ 0, 3 ], administrator=false, securityQuestionsAnswers=null, securityQuestionsRequiredAuthn=3,
securityQuestionsRequiredReg=5, securityQuestionsLocaleLanguage=null, securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null,
firstRBAuthenticationDate=null, lastUsedSecondaryAuth=-1},agentDetails=Agent [ID: 068e2d24649d658e1b0a1afe3147c7ba, name: <agent name>, address:,
type: 7, security domain ID: f635a137649d658e1c695fcc81207ce9],userDetails=<null>,authnPolicyDetails=<null>,credentialValidation=false,message=<null>,
[ObjectParameter[promptKey=SecurID_WpCodes,value=,masked=false,helpObject=<null>], ObjectParameter[promptKey=SecurID_AuthenticationMode,value=100,