Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000036650 - User ID does not have the correct service account role error when trying to authenticate using an RSA Authentication Manager Integration Service (AMIS) service account with the amServiceHarness-tool

Document created by RSA Customer Support

on Oct 1, 2018

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000036650
Applies To	RSA Product Set: SecurID RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS)
Issue	The following error displays in the ../rsa/logs/amisam8.log: INFO ,==DC== driver created in 131ms INFO ,~[_internal-}~Begin session context: User id: $internal$ DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5 INFO ,~[_internal-}~Service account authentication for user: amis-service DEBUG,~[_internal-}~registered users flag: false WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.: UserID: amis-service
Cause	The AMIS service account is not a member of the service account role that is defined by default in the am8-config.xml file: <serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy"> <roles>service-accountrole1,service-accountrole2</roles> </serviceAccount>
Resolution	Create a new empty administrative role with no real privileges and assign it to the service account: From the RSA Security Console, navigate to Administration > Administrative Roles > Add New. In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role. Under Administrative Scope, choose the service accounts domain. Click Next to accept the name and domain scoping (with no changes). Click Next to accept General Permissions (with no changes). Click Next to accept Authentication Permissions (with no changes). Click Next to accept Self-Service Permissions (with no changes). Click Save to complete the creation of the new role. Go to Identity > Users > Manage Existing. Search for the amis-service account. Click on the context arrow next to the user ID and choose Administrative Roles > Assign More. Search for service-accountrole1. Place a check next to the role and click Assign Role.
Notes	The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one. You either create the administrative role name service-accountrole1 or service-accountrole2. You might need to restart tthe Tomcat service on the AMIS machine, after applying this change: service tomcat-amis restart

Attachments

Outcomes

0 Comments

Recommended Content