|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS)
|Issue||The following error displays in the ../rsa/logs/amisam8.log:|
INFO ,==DC== driver created in 131ms
INFO ,~[_internal-}~Begin session context: User id: $internal$
DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5
INFO ,~[_internal-}~Service account authentication for user: amis-service
DEBUG,~[_internal-}~registered users flag: false
WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.: UserID: amis-service
|Cause||The AMIS service account is not a member of the service account role that is defined by default in the am8-config.xml file:|
<serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy">
|Resolution||Create a new empty administrative role with no real privileges and assign it to the service account:|
- From the RSA Security Console, navigate to Administration > Administrative Roles > Add New.
- In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role.
- Under Administrative Scope, choose the service accounts domain.
- Click Next to accept the name and domain scoping (with no changes).
- Click Next to accept General Permissions (with no changes).
- Click Next to accept Authentication Permissions (with no changes).
- Click Next to accept Self-Service Permissions (with no changes).
- Click Save to complete the creation of the new role.
- Go to Identity > Users > Manage Existing.
- Search for the amis-service account.
- Click on the context arrow next to the user ID and choose Administrative Roles > Assign More.
- Search for service-accountrole1.
- Place a check next to the role and click Assign Role.
- The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one.
- You either create the administrative role name service-accountrole1 or service-accountrole2.
- You might need to restart tthe Tomcat service on the AMIS machine, after applying this change:
service tomcat-amis restart