000035549 - How to troubleshoot RSA SecurID Access identity source errors

Document created by RSA Customer Support Employee on Sep 26, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035549
Applies ToRSA Product Set: SecurID Access
IssueDuring synchronization, authentication or single-sign on, the RSA SecurID Access Identity Router (IDR) will connect to the identity source, which is an LDAP directory server (LDAPv3 or Microsoft Active Directory).  If the IDR is unable to connect, then the interaction with the LDAP server will fail and the error will be reported in the IDR's log.
Troubleshooting should include examining the IDR's system log, also known as the symplified.log.  This can be done as follows:
The file can be viewed in a text editor.  To check for directory server issues, search the file for LDAPExceptionerrors.
CauseLDAPException errors are logged by the IDR when the directory server sends a negative response back to the IDR, indicating it cannot complete the request.  The directory server will also send error codes back to the IDR, which indicate the cause of the problem.  These error codes are included by the IDR in the LDAPException event.
ResolutionTo understand the cause of an LDAPException error, it is important to research the error codes that are included in the event message.  An example of a typical LDAPException event is:

2017-09-12/23:53:24.720/UTC [pool-13-thread-7] ERROR com.rsa.aae.internal.identity.ldap.LDAPIdentitySourceConnectionManager[139] - Failed to pre-authenticate a LDAP connection using the store credentials : 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 532, v2580
LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 532, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 532, v2580')

The main parts of the LDAPException event message are:
  • The event message header, which includes the UTC date/time of the event, the word ERROR and IDR context information.
  • A short text description after the header, which gives the effect of the exception on the authentication attempt.  In this case 'Failed to pre-authenticate a LDAP connection using the store credentials' means that the IDR could not login to the directory server using the administrator credentials configured in the Cloud Administration Console for the Identity Source.
  • LDAPException, followed by all the details about the error between parentheses, that the IDR received from the directory server.
  • resultCode is an LDAP exception number, defined in the LDAP standard  RFC 4511 section '4.1.9 Result Message' which gives the cause of the exception.  In the above example, '49' means 'invalidCredentials' which is indicated immediately after the code.
  • errorMessage and diagnosticMessage are strings between single quotes that were sent by the directory server in the LDAP response to the IDR.  They provide detailed cause information.  Refer to your directory server's product documentation or vendor for the meaning of the errorMessage and diagnosticMessage strings.  An Internet search could also be helpful.   In the above example, the directory server is Microsoft Active Directory and 'data 532' is a Microsoft code indicating that the password has expired (in this case, the administrator password).
NotesInformation about configuring Identity Sources for the Cloud Authentication Service is in the online help page Add an Identity Source for the Cloud Authentication Service.   Regarding administrator password expiry it says 'The password must not expire. If the password expires, no user will be able to authenticate to the application portal until the password is reset.'