000013974 - Microsoft Integrated Windows Authentication (IWA) fails with 'no uid mapping' error in RSA Access Manager 6.1

Document created by RSA Customer Support Employee on Dec 30, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000013974
Applies To
RSA Product Set: Access Manager 

RSA Product/Service Type: RSA Access Manager Agent 4.8 for IIS 6.0
RSA Version: 6.1
Platform: Microsoft Integrated Windows Authentication (IWA)
IssueIWA Authentication fails with "no uid mapping" error.
ct_agent.log file shows the following error:

2011-10-05 07:44:17 -0400 - [14312] - <Warning> - Agent not enabled for this virtual host
2011-10-05 07:44:17 -0400 - [428] - <Debug> - value_in_map=(null)
2011-10-05 07:44:17 -0400 - [428] - <Critical> - No uid mapping for user user1@supportlab.com at CT_WINDOWS_UPN
2011-10-05 07:44:17 -0400 - [428] - <Warning> - Failed to obtain user mapping
2011-10-05 07:44:17 -0400 - [428] - <Warning> - IWA authentication, No CT uid is available in uid mapping for user :supportlab\\user1, Status is CT_COOKIE_ERROR


SunOne LDAP log shows the following error:

[05/Oct/2011:07:44:17 -0400] conn=980037 op=81682 msgId=908584 - SRCH base="ou=axm,dc=rsa.com" scope=2 filter="(&(objectClass=inetOrgPerson)(upsUserPrincipalName=user1@supportlab.com))" attrs="uid UserPrincipalName"
[05/Oct/2011:07:44:17 -0400] conn=980037 op=81682 msgId=908584 - RESULT err=11 tag=101 nentries=0 etime=0 notes=U


CauseLDAP error code 11 means "admin limit exceeded".   This error may occur when a particular LDAP query results in an intermediate result set that exceeds the internal limits of the system.  The actual resource may be different on different LDAP servers and the failure may be intermittent depending on the nature of the query.  When Access Manger is doing IWA authentication it must search through all the users looking for a UPN value.  This search can be very expensive depending on the number of users in the datastore. 
ResolutionEnsure that an LDAP index is created for the user attributed used to map the windows UPN.  The attribute used for this lookup is defined in the ldap.conf file with the following parameter:

cleartrust.data.ldap.user.attributemap.windowsupn              :userPrincipalName

By default this value is set to userPrincipalName which typically already has an index in most LDAP stores, but if a custom attribute is used here you may need to add an index manually.
Legacy Article IDa56166