Error: Unable to perform pre-login process when trying to login to RSA Authentication Manager 8.x Web Tier Self Service Console
4 years ago
Originally Published: 2019-11-18
Article Number
000043647
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type: Authentication Manager, Webtier
RSA Version/Condition:  8.x
Issue
This article explains and provides a solution for issues which are seen when trying to connect to the RSA web tier from the internet. The requests to the web tier are being routed through a load balancer; in this case, Azure App Gateway.

The Authentication Manager server was unable to identify the incoming requests though the the backend instance IP addresses of the Azure App Gateway added under the Virtual Host load balancer page in the Operations Console.
  • On the side of the end user who is trying to access the web tier console from the internet to login, the following error is seen:
Sorry, your request cannot be processed at this time       

User-added image
  • In the /opt./rsa/am/server/ImsTrace.log collected from the Authentication Manager server the following errors are registered:
ERROR	16042	Execute command	Administrator “SYSTEM” attempted to execute command “com.rsa.ims.sso.service.CheckAccessCommand”	Failure	Unexpected exception caught	SYSTEM
UNEXPECTED_EXCEPTION	Webtier.selfservice.com		XX.XX,XX.XX	system.com.rsa.command.CommandServerEngine	com.rsa.ims.sso.service.CheckAccessCommand
com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
  • On the Authentication Manager server System Activity Report (Reporting > Reports > Add New or Manage Existing), the following errors are shown:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERRORcom.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by:
com.rsa.common.SystemException: Unable to perform pre-Login process... Caused by: java.net.UnknownHostException: XX.XX.XX.XX:XXXX: invalid IPv6 address at
java.net.InetAddress.getAllByName(InetAddress.java:1170) at java.net.InetAddress.getAllByName(InetAddress.java:1127) at java.net.InetAddress.getByName(InetAddress.java:1077) at
com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:160) at com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:280)
Cause
The error seems to be an issue with the X-forward related configuration on the load balancer. 

The RSA Authentication Manager Server does not expect that the request from the firewall will be sent in the format <IP Address>:<Port> in the header; rather it expects the request contain only the IP address, that is <IP Address>
 
Resolution
To resolve the issue, remove x-forwarded-for header which is a comma-separated list of IP:port from the load balancer configuration.

For more information please refer to the section entitled "Modifications to the request" in the article from Microsoft on How an Azure application gateway works.
Notes

 

Related Articles

Trending Articles

Don't see what you're looking for?