Cloud Authentication user profile lockouts on RSA Authentication Manager for newly enabled Cloud users
Originally Published: 2021-06-10
Article Number
Applies To
Applies To
RSA Product Set: SecurIDRSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4, 8.5
Issue
User has an MFA registered on CAS, but no MFA token registration on Authentication Manager yet.
User fatfingers/submits an incorrect Authenticate token code, User Event Monitor captures two failure messages on Cloud Authentication Service for one unsuccessful identity router authentication attempt. These attempts are counted twice against the lockout count resulting in Cloud Authentication user profile lockouts on RSA Authentication Manager.
Resolution
This issue has been fixed with RSA Authentication Manager 8.5 P3 release. Upgrading RSA Authentication Manager
Workaround
- Unlock the user profile from Dashboard.
- A new configuration value allows you to specify the authentication agent name used by the identity router which is acting as an agent to Authentication Manager as described in Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service. The configuration value prevents the same agent from being counted twice. You must add the authentication agent name as specified in RSA Authentication Manager. Do the following:
- Launch an SSH client, such as PuTTy.
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
- Navigate to /opt/rsa/am/utils.
- Run the following command line utility (CLU) to add the authentication agent name:
./rsautil store -a add_config auth_manager.cas.authentication.runtime.skip.agentnames "<Agent name>" GLOBAL STRING
login as: rsaadmin Using keyboard-interactive authentication. Password: Last login: Tue Jun 05 07:52:43 2021 from 192.168.20.100 RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am85p:~> cd /opt/rsa/am/utils rsaadmin@am85p:/opt/rsa/am/utils> ./rsautil store -a add_config auth_manager.cas.authentication.runtime.skip.agentnames "cas2am" GLOBAL STRING Please enter OC Administrator username: ocadmin Please enter OC Administrator password: ******** psql.bin:/tmp/cd192016-7ab2-41c1-b001-0c012fe1a7873828816399055336931.sql:108: NOTICE: Added the new configuration parameter "auth_manager.cas.authentication.runtime.skip.agentnames" with the value "cas2am" add_config ------------ (1 row) rsaadmin@am85p:/opt/rsa/am/utils>
To update the authentication agent name, run the following command:
./rsautil store -a update_config auth_manager.cas.authentication.runtime.skip.agentnames "<Agent name>" GLOBAL STRING
- Change directories to /opt/rsa/am/server.
- Navigate to /opt/rsa/am/server and restart all RSA Authentication Manager services for the change to take effect. How to stop, start, and restart RSA Authentication Manager 8.x services at the command line
