Error: Failed to connect to Identity Router, RSA SecurID Access Authenticate app tokencodes fail with an RSA Authentication Manager protected resource
Originally Published: 2019-08-14
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 4
Issue
Attempting to authenticate to an Authentication Manager protected resource using an Authenticate App tokencode results in an authentication failure.
The following error is shown in the: Security Console > Reporting > Real-time Activity Monitors > System Activity Monitor:
Error: Failed to connect to Identity Router
Cause
- Authentication Manager is connected to the Cloud Authentication Service by setting up the configuration under: Security Console > Home > Connect to the Cloud Authentication Service.
- Authentication Manager is also configured to send the Authenticate tokencodes to the Cloud Authentication Service through the identity router(s) under: Operations Console > Deployment Configuration > RSA SecurID Authenticate App.
- Authentication Manager is no longer able to successfully communicate with an identity router as needed for the configuration of (2) above. This can be verified by using the Test Connection button on the Operations Console > Deployment Configuration > RSA SecurID Authenticate App page. (If there are any replica Authentication Manager servers in the environment, the connection should also be tested from each replica's Operations Console to verify the connection to the identity router(s) from that particular Authentication Manager instance.)
Resolution
Solution 1: Disable the configuration that allows Authenticate app tokencodes to be sent from the Authentication Manager to the Cloud Authentication Service through the identity router(s). This can be done by going to: Operations Console > Deployment Configuration > RSA SecurID Authenticate App and unchecking the "Allow authentication using Authenticate Tokencodes" option. Then save these settings.
With this option disabled, the Authenticate tokencodes will no longer attempt to be sent to the Cloud Authentication Service through the identity router(s) but will instead be sent using Authentication Manager's direct connection to the Cloud Authentication Service.
Solution 2: Resolve the connection issue between the Authentication Manager server(s) and identity router(s) to allow the Authenticate tokencodes to be sent to the Cloud Authentication Service through the identity router(s).
Related Articles
Error: Principal does not possess one or more authenticators when using RSA SecurID Access Authenticate app tokencode with… Number of Views How to connect to SQL in RSA Authentication Manager 8.x Number of Views RSA Identity Governance and Lifecycle SSL connectivity fails and throws 'Certificates does not conform to algorithm constr… Number of Views REMINDER: Mandatory Time-Bound Upgrade Required for RSA Authentication Manager and RSA Authenticate App/RSA Authenticator … Number of Views How to capture enhanced RSA Authenticator app logs for troubleshooting purposes Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
