|Applies To||RSA Product Set: RSA Identity Governance and Lifecycle|
RSA Version/Condition: 6.9.1 P16, 6.9.1 P17, 7.0.0 P04, 7.0.1
|Issue||After upgrading to 6.9.1 P16, 6.9.1 P17, 7.0.0 P04 or 7.0.1, authentication fails with the following error, although the username and password used are correct:|
Invalid Login credentials
This issue occurs if the authentication sources use Aveksa Data Collector (ADC) and the AccountSearchAttribute is different than the distinguishedName.
The error in the aveksaServer.log always says that the account is orphaned, even though the account is not orphaned and there are no duplicate accounts in the system.
A defect introduced in the product in the affected versions causes the authentication to incorrectly attempt to map the Identity Governance & Lifecycle user to the AD account using the distinguishedName attribute. The distinguishedName collected for the ADC will not map with the authentication source's user account and will always fail. The Test Authentication does a simple bind with the AD server and searches for the user with the UserSearchAttribute. The user account mapping does not play a role here, hence it passes.
|Resolution||This is a bug fixed in 6.9.1 P19 and 7.0.1 P02. Deploy the patches to resolve the issue.|
|Workaround||As a workaround, having the associated collector attribute AccountId configured with samAccountName and not configuring the authentication source parameter AuthAccountAttribute, will result in a successful authentication. This will cause the authentication source to accept the default value for AuthAccountAttribute as it is not mandatory, which is the NameInNamespace (DN) and will evaluate the user to be authenticated against the collected accounts successfully.|