000036224 - Authentication error occurs when additional authentication is required for RSA SecurID Access application portal or a protected application

Document created by RSA Customer Support Employee on Apr 7, 2018Last modified by RSA Customer Support Employee on Nov 14, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036224
Applies ToRSA Product Set:  SecurID Access
IssueWhen attempting to access the IDR-hosted application portal with additional authentication required (or an application in the portal that requires additional authentication) the following error occurs:
 
Authentication error


User-added image


The /var/log/symplified/symplified.log includes a message like:
 
2018-04-05/18:50:20.627/UTC [ajp-bio-8009-exec-7] WARN com.symplified.service.appliance.cloudmfa.CloudMFAUtils[37] - Failed strong authentication: AUTHN_ATTEMPT_ID_NOT_FOUND
 

The User Event Monitor shows an authentication failure with Authentication Details AUTHN_ATTEMPT_ID_NOT_FOUND.
CausePossible causes are:
  • The user is in an associated LDAP identity source but has not been synchronized to the Cloud yet.
  • The user has been synchronized to the Cloud but a step-up authentication is required and the user is not registered for any of the allowed step-up authentication options.
  • Two users in different identity sources are synchronized to the Cloud with the same user ID.  A step-up authentication is required and at least one of the two users is not registered for any of the allowed step-up authentication options.
ResolutionFirst, use the Cloud Administration Console's User > Management page or run User Reports to check for user status, devices registered to a user, and to check for duplicate user id's.  This will allow you to determine which possible cause applies.

Next, take the appropriate step below, depending on the cause of the issue, to ensure the user is correctly sync'd to the Cloud.
  • The user is in an associated LDAP identity source but has not been synced to the Cloud yet.

Follow the steps in Manually Synchronize an Identity Source for the Cloud Authentication Service to create a record of the user in the SecurID Access cloud service.


  • The user has been synced to the Cloud but a step-up authentication is required and the user is not registered for any of the allowed step-up authentication options.

Ensure that the user has a device registered to perform the required additional authentication.  For example, see RSA SecurID Authenticate Device Registration Overview if approve (push notification) or authenticate tokencodes are allowable authentication methods.


  • Two users in different identity sources are sync'd to the Cloud with the same user id.  A step-up authentication is required and at least one of the two users is not registered for any of the allowed step-up authentication options.




Lastly, ensure that the user has the ability to perform the required additional authentication.  For example, see RSA SecurID Authenticate Device Registration Overview if approve (push notification) or authenticate tokencodes are allowable authentication methods, or ensure the user's correct telephone is registered for SMS or Voice Token Code authentication.

Attachments

    Outcomes