000036650 - User ID does not have the correct service account role error when trying to authenticate using an RSA Authentication Manager Integration Service (AMIS) service account with the amServiceHarness-tool

Document created by RSA Customer Support Employee on Oct 1, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036650
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS)
IssueThe following error displays in the ../rsa/logs/amisam8.log:

INFO ,==DC== driver created in 131ms
INFO ,~[_internal-}~Begin session context: User id: $internal$
DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5
INFO ,~[_internal-}~Service account authentication for user: amis-service
DEBUG,~[_internal-}~registered users flag: false
WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.:  UserID: amis-service
CauseThe AMIS service account is not a member of the service account role that is defined by default in the am8-config.xml file:
 

<serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy">
              <roles>service-accountrole1,service-accountrole2</roles>
</serviceAccount>
ResolutionCreate a new empty administrative role with no real privileges and assign it to the service account:
  1. From the RSA Security Console, navigate to Administration > Administrative Roles > Add New
  2. In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role. 
  3. Under Administrative Scope, choose the service accounts domain. 
  4. Click Next to accept the name and domain scoping (with no changes).
  5. Click Next to accept General Permissions (with no changes).
  6. Click Next to accept Authentication Permissions (with no changes).
  7. Click Next to accept Self-Service Permissions (with no changes). 
  8. Click Save to complete the creation of the new role. 
  9. Go to IdentityUsers > Manage Existing
  10. Search for the amis-service account.
  11. Click on the context arrow next to the user ID and choose Administrative Roles > Assign More.
  12. Search for service-accountrole1.
  13. Place a check next to the role and click Assign Role
Notes
  • The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one.
  • You either create the administrative role name service-accountrole1 or service-accountrole2.
  • You might need to restart tthe Tomcat service on the AMIS machine, after applying this change:


service tomcat-amis restart

Attachments

    Outcomes